[pve-devel] [PATCH 0/3] Patch to add forward chain control in pve-firewall

Flavius Bindea flav at flav.com
Mon May 11 08:11:02 CEST 2015


Hello Dietmar,

I'm using the a network configuration based on
http://help.ovh.co.uk/Proxmox (need to use SNAT or MASQUERADING, and
ip_forwarding is turned on).

I'll check also the GROUP option and the regression tests.

Regards,
Flav


2015-05-11 6:22 GMT+02:00 Dietmar Maurer <dietmar at proxmox.com>:
>> How do are you doing that? Creating a group didn't adds anything in
>> FORWARD chain. And linux netfilter is forwarding all packets from one
>> bridge to the other (I am using the host as a "router" for the
>> bridges).
>
> The idea is to create a group with all rules you want to apply, for example:
>
> # cat /etc/pve/firewall/cluster.fw
> [group group1]
> IN ACCEPT -dest 10.1.1.0/24 -p tcp -dport 80
>
> Then you can use this group for all VMs on vmbr1:
>
> # cat /etc/pve/firewall/100.fw
> [RULES]
> GROUP group1
>
> The disadvantage is that you need to configure that group rule
> for each VM. Some time ago there was an idea to add mandatory
> groups, so that all VMs automatically apply rules from those groups.
>
> Or is there another reason you want to use the 'FORWARD' chain?
>
>> 2015-05-10 17:04 GMT+02:00 Dietmar Maurer <dietmar at proxmox.com>:
>> >> *guests in vmbr1 are allowed to receive external traffic only on port 80
>> >> *guests in vmbr2 are allowed only to receive only traffic on mysql
>> >> port from 10.1.1.0/24
>> >>
>> >> set FORWARDING policy to REJECT or DROP
>> >> add rules:
>> >> * chain FORWARD from any to 10.1.1.0/24 port tcp/80 accept
>> >> * chain FORWARD from 10.1.1.0/25 to 10.1.2.0/24 port tcp/3306 accept
>> >
>> > Why don't you use a security group for that?
>> >
>>
>


More information about the pve-devel mailing list