Proxmox dedicated Port forwarding issue Using Default Drop Chain filter


 
Thread Tools Search this Thread
Homework and Emergencies Emergency UNIX and Linux Support Proxmox dedicated Port forwarding issue Using Default Drop Chain filter
# 1  
Old 07-08-2014
Debian Proxmox dedicated Port forwarding issue Using Default Drop Chain filter

Hi Everyone,

Hope all Doing good,
we have a Dedicated server and its installed with proxmox VE 3.2, My Need is i want Protect my server and only i need to allow the specific port in the server, And i want to forward some of ports 22,80,443 to those VM's inside my dedicated server, if I'm accessing one of website which hosteed inside the vm i want to access it any were from the internet, We have only one Public IP,Only one Ethernet port is there in the dedicated server and it have been bridged automatically while installing the promox,

This is the Output of

# cat /etc/network.interfaces

Code:
# network interface settings
auto lo
iface lo inet loopback

iface eth0 inet manual

iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
        address  75.2xx.35.1xx
        netmask  255.255.255.0
        gateway  75.2xx.35.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet static
        address  10.0.2.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp on
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.0.2.0/24' -j SNAT --to-source 75.2xx.35.1xx
        post-down iptables -t nat -D POSTROUTING -s '10.0.2.0/24' -j SNAT --to-source 75.2xx.35.1xx


By Defult there was only one Bridge vmbr0 created, and i have created additionally vmbr1 for Virtualmachines,

Now i want to protect the proxmox host using iptables, so i have defined some iptables and some were copied from googling and trierd but not done yet.

This is the Iptables what I'm using now

Code:
#### Flush all and Delete all Chain's

iptables -F
iptables -X
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -X
iptables -t mangle -X

#### Default filter

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables --append INPUT -t filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables --append FORWARD -t filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables --append OUTPUT -t filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

##### Null packets are, simply said, recon packets. see how we configured the VPS and find out weaknesses.

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

####Reject is a syn-flood attack

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#### XMAS packets, also a recon packet

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

#### Loopback allows all.

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#### Ethernet allows established/related Except invalid.

iptables -A INPUT -i vmbr+ -m state --state ESTABLISHE,RELATED -j ACCEPT
iptables -A INPUT -i vmbr+ -m state --state INVALID -j DROP

# Allow all Outgoing connection

iptables -A OUTPUT -j ACCEPT

# Allow TCP on Port 22 SSH with rate limiting

iptables -A INPUT -i vmbr+ -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -i vmbr+ -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set
iptables -I INPUT -i vmbr+ -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 10 --hitcount 5 -j DROP

# Allow Ping ICMP echo With Limiting

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -m recent --update --seconds 10 --hitcount 10 -j DROP

#Allow VNC ports

iptables -A INPUT -i vmbr+ -p tcp --dport 5900:5999 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 5900:5999 -m state --state ESTABLISHED -j ACCEPT

# Allow web UI for Proxmox

iptables -A INPUT -i vmbr+ -p tcp --dport 8600 -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 8600 -j ACCEPT

# Allow HTTP Requests for NON-secured 80

iptables -A INPUT -i vmbr+ -p tcp --dport 80 -m state --state NEW -m tcp -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT -i vmbr+ -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT -i vmbr+ -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 5 --hitcount 20 -j DROP
iptables -I INPUT -i vmbr+ -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -I INPUT -i vmbr+ -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 5 --hitcount 20 -j DROP


# Port Forwarding from Host to VM's


iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o vmbr0 -j MASQUERADE
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 10022 -j DNAT --to-destination 10.0.2.2:22
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.2.2:80
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.2.2:443


# Enabling Logging


iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 10/min -j LOG --log-prefix "IPTables-log:" --log-level 4
iptables -A LOGGING -j DROP

# DROP ALL Except Above Rules

iptables -A INPUT -j DROP


Did this is the Right rules what i have used ? Please guide me to get fix


Here is the output of ifconfig


Code:
eth0      Link encap:Ethernet  HWaddr 7d:c4:7b:09:5f:de
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:252514 errors:0 dropped:0 overruns:0 frame:0
          TX packets:77764 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:244788646 (233.4 MiB)  TX bytes:40324395 (38.4 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1706 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1706 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:208190 (203.3 KiB)  TX bytes:208190 (203.3 KiB)

tap100i0  Link encap:Ethernet  HWaddr f2:da:h6:bb:58:c6
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:4973 errors:0 dropped:0 overruns:0 frame:0
          TX packets:70594 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:384876 (375.8 KiB)  TX bytes:103587288 (98.7 MiB)

tap101i0  Link encap:Ethernet  HWaddr h6:a3:b3:6c:54:25
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:6443 errors:0 dropped:0 overruns:0 frame:0
          TX packets:88804 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:466995 (456.0 KiB)  TX bytes:131397192 (125.3 MiB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vmbr0     Link encap:Ethernet  HWaddr ec:c4:7a:33:5f:ce
          inet addr:75.2xx.35.1xx  Bcast:62.210.72.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:135233 errors:0 dropped:0 overruns:0 frame:0
          TX packets:69678 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:235090505 (224.1 MiB)  TX bytes:39886983 (38.0 MiB)

vmbr1     Link encap:Ethernet  HWaddr d2:db:de:aa:58:c6
          inet addr:10.0.2.1  Bcast:10.0.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11400 errors:0 dropped:0 overruns:0 frame:0
          TX packets:155633 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:690831 (674.6 KiB)  TX bytes:234786750 (223.9 MiB)

Without Using any Iptables if i use only this below rules i can access the web browser of Ubuntu VM inside Proxmox host, but while trying to ssh i can't.

Code:
# Port Forwarding from Host to VM's

iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o vmbr0 -j MASQUERADE
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 10022 -j DNAT --to-destination 10.0.2.2:22
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.2.2:80
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.2.2:443


My Need is i want to port forward from proxmox host to Every VM's in it, if Im accessing ssh or access any website i want to access any were from internet.

Thank you.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Red Hat

iptables port forwarding

Hello All, I would like to ask you very kindly with /etc/sysconfig/iptables file I have to setup port forwarding on RHEL6 router. Users from public network must be able to ssh to servers in private network behind RHEL6 router. Problem is that servers in private network must be isolated. My... (2 Replies)
Discussion started by: oidipus
2 Replies

2. IP Networking

Port Forwarding not working

Hello Gurus, I have configured port forwarding at router. But after configuration I am not able to connect the computer from outside/Over internet/Remote desktp from other computer. Could you please advice? Thanks- Pokhraj (2 Replies)
Discussion started by: pokhraj_d
2 Replies

3. UNIX for Advanced & Expert Users

Help on port forwarding please..

Hi experts, We have windows machine ( A ) in one network & 2 Linux Servers ( B & C ) in another network. There is a firewall between these 2 networks and SSH (TCP/22) & HTTPS (TCP/443) are allowed from A to B only (but not to C). There is no personal firewall / iptables running on any machine.... (1 Reply)
Discussion started by: magnus29
1 Replies

4. Red Hat

iptables applied in local machine, can't ssh remote machine after chain changed to DROP

I want to SSH to 192.168.1.15 Server from my machine, my ip was 192.168.1.99 Source Destination was UP, with IP 192.168.1.15. This is LAN Network there are 30 Machine's Connected to the network and working fine, I'm Playing around the local machine's because I need to apply the same rules in... (2 Replies)
Discussion started by: babinlonston
2 Replies

5. IP Networking

Port forwarding issue

hi guys i have a simple question ! i have two ips . a valid and internal(172.16.11.2) i want to use port forwarding to forward any request to valid IP port 8001 to internal ip port 80 . i use this rule : sysctl -w net.ipv4.ip_forward=1 iptables -t nat -A PREROUTING -p tcp... (1 Reply)
Discussion started by: mhs
1 Replies

6. IP Networking

SSH Port Forwarding - sharing the same port

Hi Linux/Unix Guru, I am setting Linux Hopping Station to another different servers. My current config to connect to another servers is using different port to connect. e.g ssh -D 1080 -p 22 username@server1.com ssh -D 1081 -p 22 username@server2.com Now what I would like to have... (3 Replies)
Discussion started by: regmaster
3 Replies

7. Shell Programming and Scripting

Python: Bind to port 80 as root, then drop privileges?

I have written a small web server in Python, and now I would like to run it on port 80, but in order to be able to bind to a port below 1024 I need to have root privileges. I don't want to run the server as root, though. How can I bind to port 80 as root and then drop root privileges? Thankful... (0 Replies)
Discussion started by: Ilja
0 Replies

8. UNIX for Advanced & Expert Users

Port forwarding

Hi I want to set up port forwarding from one network to another network. I already have this configured on the Linux box using iptables. iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 1521 -j DNAT --to 10.218.146.230 iptables -A FORWARD -p tcp -i eth1 -d 10.218.146.230 -j ACCEPT ... (2 Replies)
Discussion started by: slash_blog
2 Replies

9. AIX

Port/ IP Forwarding AIX5.3

Hi friends i have the following setup machine1 two network adapters one connected to lan the other connected directly to machine2 machine2 is not connected to lan i need to access machine2 directly from the LAN how to force machine1 to forward all traffic received on a specific port the... (1 Reply)
Discussion started by: Husam
1 Replies

10. UNIX for Advanced & Expert Users

port forwarding

Hi, I have to install an application that has a built in tftp server. Tftp comes in on port 69. As i am not installing this application as a root user i am running into trouble because only the root user can listen to ports < 1024. So changing the port i listen to to one greater than 1023 isn't... (1 Reply)
Discussion started by: imloaded24_7
1 Replies
Login or Register to Ask a Question