On 2/1/20 11:47 PM, Bryan Fields wrote: > greetings, > I have a policy in iptables for forwared traffic below : > > iptables -t filter -A INPUT -j ACCEPT --in-interface $INET_IF --protocol \ > icmp --icmp-type echo-request --match limit --limit 4/s --limit-burst 3 > > iptables -t filter -A INPUT -j log-and-drop --in-interface $INET_IF \ > --protocol icmp --icmp-type echo-request > > I've attempted to set this up in the gui, but there's no option to add the > ICMP type, only IP type, and nothing for the match option. If I add this in > the config file, it's deleted upon the next time I look at it.
I've found the following to be true with Proxmox: 1. The ICMP type can be put as text or numeric in the port field. this is undocumented, but it is in the code at: /usr/share/perl5/PVE/Firewall.pm 2. ProxMox will respect any filters already loaded in ip/ip6tables. This is really nice and props to the guys that coded this. As an example: Chain INPUT (policy ACCEPT) target prot opt source destination PVEFW-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination PVEFW-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 By default Proxmox will jump all traffic input into PVEFW-INPUT, and then chain it's stuff off there. When installing/reseting/deleting/etc. Proxmox managed entries it does it all in it's own chain. This means we can hook into it by making our own chain and installing it before it. As Proxmox will not mess with this non-managed chain we can do anything we want in it, and so long as we don't do a drop all, traffic will flow into the Proxmox chains. What I did was to create a /etc/pve/localfirewall.sh script (is there a better place to put this?) and call it upon boot from /etc/network/interfaces: auto vmbr44 iface vmbr44 inet manual bridge_ports eth0.41 bridge_stp off bridge_fd 0 up bash /etc/pve/localfirewall.sh I've attached my script for reference. Is there anything I'm missing here about this being a non-good solution? If not, I'd like to add this on the wiki, how does one go about getting an account? Thanks, -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net _______________________________________________ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user