[PVE-User] Conntrack on FORWARD-chain

Mark Schouten mark at tuxis.nl
Thu Jul 6 11:25:09 CEST 2017


We have a cluster with the firewall enabled on cluster- and host-level, not on 

One of the VM's is a firewall which routes traffic for the other VM's. We ran 
into issues because the Proxmox firewall is looking at the FORWARD-chain, and 
dropping ctstate INVALID. That is causing issues, because it feels the routed 
traffic has state invalid.

Everything starts working as soon as I do a `iptables -D PVEFW-FORWARD 1`. Am 
I misinterpreting stuff, doing something wrong, or is this something else?


Kerio Operator in de Cloud? https://www.kerioindecloud.nl/
Mark Schouten  | Tuxis Internet Engineering
KvK: 61527076  | http://www.tuxis.nl/
T: 0318 200208 | info at tuxis.nl

More information about the pve-user mailing list