[PVE-User] Firewall Filter ICMP types and connection limiting

Bryan Fields Bryan at bryanfields.net
Sun Feb 2 05:47:12 CET 2020


greetings,

I'm a user of classical KVM on Linux and have recently started to work with
Proxmox on two nodes in my rack.

I have started to work with the firewall and I normally did a firewall on my
hypervisor using /etc/network/interfaces calling /etc/network/firewall.sh
which is a bash script of iptables.  This would filter both forwarded traffic
and traffic to the linux hypervisor.

In proxmox things are a bit different (it's still iptables/ip6tables), and I'm
attempting to use it the proxmox way by creating a security group and applying
that to the VM and the hypervisor.

I have a policy in iptables for forwared traffic below :

iptables -t filter -A INPUT -j ACCEPT --in-interface $INET_IF --protocol \
icmp --icmp-type echo-request --match limit --limit 4/s --limit-burst 3

iptables -t filter -A INPUT -j log-and-drop --in-interface $INET_IF \
--protocol icmp --icmp-type echo-request

I've attempted to set this up in the gui, but there's no option to add the
ICMP type, only IP type, and nothing for the match option.  If I add this in
the config file, it's deleted upon the next time I look at it.

I'm thinking surely there must be a way to include it, as blocking ICMP
totally will break things.

I've read the wiki and install guide, and can't really find any place to set
this up at.

Thanks,
-- 
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net


More information about the pve-user mailing list