Hi Everyone,
Hope all Doing good,
we have a Dedicated server and its installed with proxmox VE 3.2, My Need is i want Protect my server and only i need to allow the specific port in the server, And i want to forward some of ports 22,80,443 to those VM's inside my dedicated server, if I'm accessing one of website which hosteed inside the vm i want to access it any were from the internet, We have only one Public IP,Only one Ethernet port is there in the dedicated server and it have been bridged automatically while installing the promox,
This is the Output of
# cat /etc/network.interfaces
# network interface settings
auto lo
iface lo inet loopback
iface eth0 inet manual
iface eth1 inet manual
auto vmbr0
iface vmbr0 inet static
address 75.2xx.35.1xx
netmask 255.255.255.0
gateway 75.2xx.35.1
bridge_ports eth0
bridge_stp off
bridge_fd 0
auto vmbr1
iface vmbr1 inet static
address 10.0.2.1
netmask 255.255.255.0
bridge_ports none
bridge_stp on
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.0.2.0/24' -j SNAT --to-source 75.2xx.35.1xx
post-down iptables -t nat -D POSTROUTING -s '10.0.2.0/24' -j SNAT --to-source 75.2xx.35.1xx
By Defult there was only one Bridge vmbr0 created, and i have created additionally vmbr1 for Virtualmachines,
Now i want to protect the proxmox host using iptables, so i have defined some iptables and some were copied from googling and trierd but not done yet.
This is the Iptables what I'm using now
#### Flush all and Delete all Chain's
iptables -F
iptables -X
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -X
iptables -t mangle -X
#### Default filter
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables --append INPUT -t filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables --append FORWARD -t filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables --append OUTPUT -t filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
##### Null packets are, simply said, recon packets. see how we configured the VPS and find out weaknesses.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
####Reject is a syn-flood attack
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#### XMAS packets, also a recon packet
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#### Loopback allows all.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#### Ethernet allows established/related Except invalid.
iptables -A INPUT -i vmbr+ -m state --state ESTABLISHE,RELATED -j ACCEPT
iptables -A INPUT -i vmbr+ -m state --state INVALID -j DROP
# Allow all Outgoing connection
iptables -A OUTPUT -j ACCEPT
# Allow TCP on Port 22 SSH with rate limiting
iptables -A INPUT -i vmbr+ -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -i vmbr+ -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set
iptables -I INPUT -i vmbr+ -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 10 --hitcount 5 -j DROP
# Allow Ping ICMP echo With Limiting
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -m recent --update --seconds 10 --hitcount 10 -j DROP
#Allow VNC ports
iptables -A INPUT -i vmbr+ -p tcp --dport 5900:5999 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 5900:5999 -m state --state ESTABLISHED -j ACCEPT
# Allow web UI for Proxmox
iptables -A INPUT -i vmbr+ -p tcp --dport 8600 -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 8600 -j ACCEPT
# Allow HTTP Requests for NON-secured 80
iptables -A INPUT -i vmbr+ -p tcp --dport 80 -m state --state NEW -m tcp -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT -i vmbr+ -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT -i vmbr+ -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 5 --hitcount 20 -j DROP
iptables -I INPUT -i vmbr+ -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -I INPUT -i vmbr+ -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 5 --hitcount 20 -j DROP
# Port Forwarding from Host to VM's
iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o vmbr0 -j MASQUERADE
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 10022 -j DNAT --to-destination 10.0.2.2:22
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.2.2:80
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.2.2:443
# Enabling Logging
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 10/min -j LOG --log-prefix "IPTables-log:" --log-level 4
iptables -A LOGGING -j DROP
# DROP ALL Except Above Rules
iptables -A INPUT -j DROP
Did this is the Right rules what i have used ? Please guide me to get fix
Here is the output of ifconfig
eth0 Link encap:Ethernet HWaddr 7d:c4:7b:09:5f:de
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:252514 errors:0 dropped:0 overruns:0 frame:0
TX packets:77764 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:244788646 (233.4 MiB) TX bytes:40324395 (38.4 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1706 errors:0 dropped:0 overruns:0 frame:0
TX packets:1706 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:208190 (203.3 KiB) TX bytes:208190 (203.3 KiB)
tap100i0 Link encap:Ethernet HWaddr f2:da:h6:bb:58:c6
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:4973 errors:0 dropped:0 overruns:0 frame:0
TX packets:70594 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:384876 (375.8 KiB) TX bytes:103587288 (98.7 MiB)
tap101i0 Link encap:Ethernet HWaddr h6:a3:b3:6c:54:25
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:6443 errors:0 dropped:0 overruns:0 frame:0
TX packets:88804 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:466995 (456.0 KiB) TX bytes:131397192 (125.3 MiB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
vmbr0 Link encap:Ethernet HWaddr ec:c4:7a:33:5f:ce
inet addr:75.2xx.35.1xx Bcast:62.210.72.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:135233 errors:0 dropped:0 overruns:0 frame:0
TX packets:69678 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:235090505 (224.1 MiB) TX bytes:39886983 (38.0 MiB)
vmbr1 Link encap:Ethernet HWaddr d2:db:de:aa:58:c6
inet addr:10.0.2.1 Bcast:10.0.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11400 errors:0 dropped:0 overruns:0 frame:0
TX packets:155633 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:690831 (674.6 KiB) TX bytes:234786750 (223.9 MiB)
Without Using any Iptables if i use only this below rules i can access the web browser of Ubuntu VM inside Proxmox host, but while trying to ssh i can't.
# Port Forwarding from Host to VM's
iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o vmbr0 -j MASQUERADE
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 10022 -j DNAT --to-destination 10.0.2.2:22
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.2.2:80
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.2.2:443
My Need is i want to port forward from proxmox host to Every VM's in it, if Im accessing ssh or access any website i want to access any were from internet.
Thank you.