[PVE-User] About PVE-Firewall and WebGUI access
Hector Suarez Planas
hector.suarez at codesa.co.cu
Mon Nov 16 22:49:42 CET 2015
...
El 16/11/2015 a las 04:16 PM, Christian Kivalo escribió:
>
> Am 16. November 2015 22:06:02 MEZ, schrieb Hector Suarez Planas <hector.suarez at codesa.co.cu>:
>> ...
>>
>> El 16/11/2015 a las 03:10 PM, Dietmar Maurer escribió:
>>
>>>> I did a test with the PC with IP address 172.16.1.254 and I reached
>> the
>>>> WebGUI of Proxmox VE without problems.It is assumed that the
>> firewall
>>>> should not allow access because the origin of the connection not
>> part
>>>> from the IP address 172.16.1.6 neither172.16.1.7. :-(
>>>>
>>> Access form local network is enabled by default.
>> Thanks for the reply, Dietmar. It may be that if you have an
>> infrastructure of subnets (VLANs) controlled by routers and firewall
>> appliances, but if not, if I have only one subnet, anyone could reach
>> the WebGUI interface Proxmox, which should not be. :-(
> Why not put that rule to the input chain of the host system?
>
> Set the default policy oft the input chain to drop and then add a rule Luke e.g.
> iptables -A INPUT -p tcp --dport 8006 -j ACCEPT ?
If I do that, I can interfere with the rules that generates
PVE-Firewall. :-(
This is the output of iptables_save command:
# Generated by iptables-save v1.4.21 on Mon Nov 16 14:28:55 2015
*filter
:INPUT ACCEPT [5:256]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:770]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:zfGV4KTPaxGVOCwRUVqqqbR0IhM"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment
"PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j
PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j
PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:Ka4S8B0HM4A1RRtoso/euMz41l8"
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -s 172.16.1.7/32 -i vmbr0 -p icmp -m set --match-set
PVEFW-593D5022 dst -m icmp --icmp-type 8 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m
tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m
tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m
tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m
tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 172.16.1.0/24 -d 172.16.1.0/24 -p udp -m udp --dport
5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 172.16.1.0/24 -p udp -m addrtype --dst-type
MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j NFLOG --nflog-prefix ":0:7:PVEFW-HOST-IN: policy
DROP: "
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:z0hlPDjaKhdTgRE/FDPpNIkEmj0"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 172.16.1.0/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 172.16.1.0/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 172.16.1.0/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 172.16.1.0/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -d 172.16.1.0/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -p udp -m addrtype --dst-type MULTICAST -m udp --dport
5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:kTdDZdDG5BqtXBNA5QhTxUXpO8s"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:3gYHaSHlZx5luiKyM0oCsTVaXi4"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x1/0xffffffff
-A PVEFW-SET-ACCEPT-MARK -m comment --comment
"PVESIG:+w0L1XZmxcTeIy7fBeEAzPUQMiY"
-A PVEFW-logflags -j NFLOG --nflog-prefix ":0:7:PVEFW-logflags: DROP: "
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:M6AZ5liyPd5yBMzJkVe2pC3g4C8"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:KM/fOv4KvGn8XvMqxoiRCdvlji8"
-A PVEFW-smurflog -j NFLOG --nflog-prefix ":0:7:PVEFW-smurflog: DROP: "
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:d9YbmH6rFEMMIfhSj79mnIalVtg"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g
PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g
PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK
SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
COMMIT
# Completed on Mon Nov 16 14:28:55 2015
And the output of iptables -L command:
Chain INPUT (policy ACCEPT)
target prot opt source destination
PVEFW-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
PVEFW-FORWARD all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PVEFW-OUTPUT all -- anywhere anywhere
Chain PVEFW-Drop (1 references)
target prot opt source destination
PVEFW-reject tcp -- anywhere anywhere tcp
dpt:whois
PVEFW-DropBroadcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp
time-exceeded
DROP all -- anywhere anywhere ctstate INVALID
DROP udp -- anywhere anywhere multiport dports
loc-srv,microsoft-ds
DROP udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp
spt:netbios-ns dpts:1024:65535
DROP tcp -- anywhere anywhere multiport dports
loc-srv,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
DROP tcp -- anywhere anywhere tcp
flags:!FIN,SYN,RST,ACK/SYN
DROP udp -- anywhere anywhere udp spt:domain
all -- anywhere anywhere /*
PVESIG:zfGV4KTPaxGVOCwRUVqqqbR0IhM */
Chain PVEFW-DropBroadcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere 224.0.0.0/4
all -- anywhere anywhere /*
PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */
Chain PVEFW-FORWARD (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
PVEFW-FWBR-IN all -- anywhere anywhere PHYSDEV match
--physdev-in fwln+ --physdev-is-bridged
PVEFW-FWBR-OUT all -- anywhere anywhere PHYSDEV match
--physdev-out fwln+ --physdev-is-bridged
all -- anywhere anywhere /*
PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */
Chain PVEFW-FWBR-IN (1 references)
target prot opt source destination
PVEFW-smurfs all -- anywhere anywhere ctstate INVALID,NEW
PVEFW-tcpflags tcp -- anywhere anywhere
all -- anywhere anywhere /*
PVESIG:Ka4S8B0HM4A1RRtoso/euMz41l8 */
Chain PVEFW-FWBR-OUT (1 references)
target prot opt source destination
all -- anywhere anywhere /*
PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk */
Chain PVEFW-HOST-IN (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
PVEFW-smurfs all -- anywhere anywhere ctstate INVALID,NEW
PVEFW-tcpflags tcp -- anywhere anywhere
RETURN igmp -- anywhere anywhere
RETURN icmp -- 172.16.1.7 anywhere match-set
PVEFW-593D5022 dst icmp echo-request
RETURN tcp -- anywhere anywhere match-set
PVEFW-0-management-v4 src tcp dpt:8006
RETURN tcp -- anywhere anywhere match-set
PVEFW-0-management-v4 src tcp dpts:5900:5999
RETURN tcp -- anywhere anywhere match-set
PVEFW-0-management-v4 src tcp dpt:3128
RETURN tcp -- anywhere anywhere match-set
PVEFW-0-management-v4 src tcp dpt:ssh
RETURN udp -- 172.16.1.0/24 172.16.1.0/24 udp
dpts:5404:5405
RETURN udp -- 172.16.1.0/24 anywhere ADDRTYPE match dst-type
MULTICAST udp dpts:5404:5405
PVEFW-Drop all -- anywhere anywhere
NFLOG all -- anywhere anywhere nflog-prefix
":0:7:PVEFW-HOST-IN: policy DROP: "
DROP all -- anywhere anywhere
all -- anywhere anywhere /*
PVESIG:z0hlPDjaKhdTgRE/FDPpNIkEmj0 */
Chain PVEFW-HOST-OUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
RETURN igmp -- anywhere anywhere
RETURN tcp -- anywhere 172.16.1.0/24 tcp dpt:8006
RETURN tcp -- anywhere 172.16.1.0/24 tcp dpt:ssh
RETURN tcp -- anywhere 172.16.1.0/24 tcp
dpts:5900:5999
RETURN tcp -- anywhere 172.16.1.0/24 tcp dpt:3128
RETURN udp -- anywhere 172.16.1.0/24 udp
dpts:5404:5405
RETURN udp -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST udp dpts:5404:5405
RETURN all -- anywhere anywhere
all -- anywhere anywhere /*
PVESIG:kTdDZdDG5BqtXBNA5QhTxUXpO8s */
Chain PVEFW-INPUT (1 references)
target prot opt source destination
PVEFW-HOST-IN all -- anywhere anywhere
all -- anywhere anywhere /*
PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */
Chain PVEFW-OUTPUT (1 references)
target prot opt source destination
PVEFW-HOST-OUT all -- anywhere anywhere
all -- anywhere anywhere /*
PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */
Chain PVEFW-Reject (0 references)
target prot opt source destination
PVEFW-reject tcp -- anywhere anywhere tcp
dpt:whois
PVEFW-DropBroadcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp
time-exceeded
DROP all -- anywhere anywhere ctstate INVALID
PVEFW-reject udp -- anywhere anywhere multiport dports
loc-srv,microsoft-ds
PVEFW-reject udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
PVEFW-reject udp -- anywhere anywhere udp
spt:netbios-ns dpts:1024:65535
PVEFW-reject tcp -- anywhere anywhere multiport dports
loc-srv,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
DROP tcp -- anywhere anywhere tcp
flags:!FIN,SYN,RST,ACK/SYN
DROP udp -- anywhere anywhere udp spt:domain
all -- anywhere anywhere /*
PVESIG:3gYHaSHlZx5luiKyM0oCsTVaXi4 */
Chain PVEFW-SET-ACCEPT-MARK (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x1
all -- anywhere anywhere /*
PVESIG:+w0L1XZmxcTeIy7fBeEAzPUQMiY */
Chain PVEFW-logflags (5 references)
target prot opt source destination
NFLOG all -- anywhere anywhere nflog-prefix
":0:7:PVEFW-logflags: DROP: "
DROP all -- anywhere anywhere
all -- anywhere anywhere /*
PVESIG:M6AZ5liyPd5yBMzJkVe2pC3g4C8 */
Chain PVEFW-reject (6 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- 224.0.0.0/4 anywhere
DROP icmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with
icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
all -- anywhere anywhere /*
PVESIG:KM/fOv4KvGn8XvMqxoiRCdvlji8 */
Chain PVEFW-smurflog (2 references)
target prot opt source destination
NFLOG all -- anywhere anywhere nflog-prefix
":0:7:PVEFW-smurflog: DROP: "
DROP all -- anywhere anywhere
all -- anywhere anywhere /*
PVESIG:d9YbmH6rFEMMIfhSj79mnIalVtg */
Chain PVEFW-smurfs (2 references)
target prot opt source destination
RETURN all -- default anywhere
PVEFW-smurflog all -- anywhere anywhere [goto] ADDRTYPE
match src-type BROADCAST
PVEFW-smurflog all -- 224.0.0.0/4 anywhere [goto]
all -- anywhere anywhere /*
PVESIG:HssVe5QCBXd5mc9kC88749+7fag */
Chain PVEFW-tcpflags (2 references)
target prot opt source destination
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp
flags:SYN,RST/SYN,RST
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN/FIN,SYN
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp spt:0
flags:FIN,SYN,RST,ACK/SYN
all -- anywhere anywhere /*
PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */
On the Datacenter ---> Firewall ---> Options I establish DROP as the
Input Policy value and ACCEPT as the Output Policy value.
--
=====================================
Lic. Hector Suarez Planas
Administrador Nodo CODESA
Santiago de Cuba
-------------------------------------
Blog: http://nihilanthlnxc.cubava.cu/
ICQ ID: 681729738
Conferendo ID: hspcuba
=====================================
More information about the pve-user
mailing list