[PVE-User] Firewall Filter ICMP types and connection limiting
Bryan at bryanfields.net
Sun Feb 2 05:47:12 CET 2020
I'm a user of classical KVM on Linux and have recently started to work with
Proxmox on two nodes in my rack.
I have started to work with the firewall and I normally did a firewall on my
hypervisor using /etc/network/interfaces calling /etc/network/firewall.sh
which is a bash script of iptables. This would filter both forwarded traffic
and traffic to the linux hypervisor.
In proxmox things are a bit different (it's still iptables/ip6tables), and I'm
attempting to use it the proxmox way by creating a security group and applying
that to the VM and the hypervisor.
I have a policy in iptables for forwared traffic below :
iptables -t filter -A INPUT -j ACCEPT --in-interface $INET_IF --protocol \
icmp --icmp-type echo-request --match limit --limit 4/s --limit-burst 3
iptables -t filter -A INPUT -j log-and-drop --in-interface $INET_IF \
--protocol icmp --icmp-type echo-request
I've attempted to set this up in the gui, but there's no option to add the
ICMP type, only IP type, and nothing for the match option. If I add this in
the config file, it's deleted upon the next time I look at it.
I'm thinking surely there must be a way to include it, as blocking ICMP
totally will break things.
I've read the wiki and install guide, and can't really find any place to set
this up at.
727-409-1194 - Voice
More information about the pve-user