[pve-devel] [PATCH 0/3] Patch to add forward chain control in pve-firewall

Flavius Bindea flav at flav.com
Sun May 10 23:58:38 CEST 2015


How do are you doing that? Creating a group didn't adds anything in
FORWARD chain. And linux netfilter is forwarding all packets from one
bridge to the other (I am using the host as a "router" for the
bridges).


2015-05-10 17:04 GMT+02:00 Dietmar Maurer <dietmar at proxmox.com>:
>> *guests in vmbr1 are allowed to receive external traffic only on port 80
>> *guests in vmbr2 are allowed only to receive only traffic on mysql
>> port from 10.1.1.0/24
>>
>> set FORWARDING policy to REJECT or DROP
>> add rules:
>> * chain FORWARD from any to 10.1.1.0/24 port tcp/80 accept
>> * chain FORWARD from 10.1.1.0/25 to 10.1.2.0/24 port tcp/3306 accept
>
> Why don't you use a security group for that?
>


More information about the pve-devel mailing list