[PVE-User] Solved: Firewall Filter ICMP types and connection limiting

Bryan Fields Bryan at bryanfields.net
Wed Feb 5 02:35:45 CET 2020 

On 2/1/20 11:47 PM, Bryan Fields wrote:
> greetings,
> I have a policy in iptables for forwared traffic below :
> 
> iptables -t filter -A INPUT -j ACCEPT --in-interface $INET_IF --protocol \
> icmp --icmp-type echo-request --match limit --limit 4/s --limit-burst 3
> 
> iptables -t filter -A INPUT -j log-and-drop --in-interface $INET_IF \
> --protocol icmp --icmp-type echo-request
> 
> I've attempted to set this up in the gui, but there's no option to add the
> ICMP type, only IP type, and nothing for the match option.  If I add this in
> the config file, it's deleted upon the next time I look at it.

I've found the following to be true with Proxmox:

1. The ICMP type can be put as text or numeric in the port field.
     this is undocumented, but it is in the code at:
     /usr/share/perl5/PVE/Firewall.pm

2. ProxMox will respect any filters already loaded in ip/ip6tables.
     This is really nice and props to the guys that coded this.

As an example:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
PVEFW-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
PVEFW-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0

By default Proxmox will jump all traffic input into PVEFW-INPUT, and then
chain it's stuff off there.  When installing/reseting/deleting/etc. Proxmox
managed entries it does it all in it's own chain.  This means we can hook into
it by making our own chain and installing it before it.  As Proxmox will not
mess with this non-managed chain we can do anything we want in it, and so long
as we don't do a drop all, traffic will flow into the Proxmox chains.

What I did was to create a /etc/pve/localfirewall.sh script (is there a better
place to put this?) and call it upon boot from /etc/network/interfaces:

auto vmbr44
iface vmbr44 inet manual
	bridge_ports eth0.41
	bridge_stp off
	bridge_fd 0
	up bash /etc/pve/localfirewall.sh


I've attached my script for reference.

Is there anything I'm missing here about this being a non-good solution?
If not, I'd like to add this on the wiki, how does one go about getting an
account?

Thanks,
-- 
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net

More information about the pve-user mailing list