Proxmox dedicated Port forwarding issue Using Default Drop Chain filter

Linux and Unix-Like Emergency UNIX and Linux Support
1

Hi Everyone,

Hope all Doing good,
we have a Dedicated server and its installed with proxmox VE 3.2, My Need is i want Protect my server and only i need to allow the specific port in the server, And i want to forward some of ports 22,80,443 to those VM's inside my dedicated server, if I'm accessing one of website which hosteed inside the vm i want to access it any were from the internet, We have only one Public IP,Only one Ethernet port is there in the dedicated server and it have been bridged automatically while installing the promox,

This is the Output of

# cat /etc/network.interfaces

# network interface settings
auto lo
iface lo inet loopback

iface eth0 inet manual

iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
        address  75.2xx.35.1xx
        netmask  255.255.255.0
        gateway  75.2xx.35.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet static
        address  10.0.2.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp on
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.0.2.0/24' -j SNAT --to-source 75.2xx.35.1xx
        post-down iptables -t nat -D POSTROUTING -s '10.0.2.0/24' -j SNAT --to-source 75.2xx.35.1xx

By Defult there was only one Bridge vmbr0 created, and i have created additionally vmbr1 for Virtualmachines,

Now i want to protect the proxmox host using iptables, so i have defined some iptables and some were copied from googling and trierd but not done yet.

This is the Iptables what I'm using now

#### Flush all and Delete all Chain's

iptables -F
iptables -X
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -X
iptables -t mangle -X

#### Default filter

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables --append INPUT -t filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables --append FORWARD -t filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables --append OUTPUT -t filter -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

##### Null packets are, simply said, recon packets. see how we configured the VPS and find out weaknesses.

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

####Reject is a syn-flood attack

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#### XMAS packets, also a recon packet

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

#### Loopback allows all.

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#### Ethernet allows established/related Except invalid.

iptables -A INPUT -i vmbr+ -m state --state ESTABLISHE,RELATED -j ACCEPT
iptables -A INPUT -i vmbr+ -m state --state INVALID -j DROP

# Allow all Outgoing connection

iptables -A OUTPUT -j ACCEPT

# Allow TCP on Port 22 SSH with rate limiting

iptables -A INPUT -i vmbr+ -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -i vmbr+ -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set
iptables -I INPUT -i vmbr+ -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 10 --hitcount 5 -j DROP

# Allow Ping ICMP echo With Limiting

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -I INPUT -p icmp -m icmp --icmp-type echo-request -m recent --update --seconds 10 --hitcount 10 -j DROP

#Allow VNC ports

iptables -A INPUT -i vmbr+ -p tcp --dport 5900:5999 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 5900:5999 -m state --state ESTABLISHED -j ACCEPT

# Allow web UI for Proxmox

iptables -A INPUT -i vmbr+ -p tcp --dport 8600 -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 8600 -j ACCEPT

# Allow HTTP Requests for NON-secured 80

iptables -A INPUT -i vmbr+ -p tcp --dport 80 -m state --state NEW -m tcp -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o vmbr+ -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT -i vmbr+ -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT -i vmbr+ -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 5 --hitcount 20 -j DROP
iptables -I INPUT -i vmbr+ -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -I INPUT -i vmbr+ -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 5 --hitcount 20 -j DROP


# Port Forwarding from Host to VM's


iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o vmbr0 -j MASQUERADE
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 10022 -j DNAT --to-destination 10.0.2.2:22
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.2.2:80
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.2.2:443


# Enabling Logging


iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 10/min -j LOG --log-prefix "IPTables-log:" --log-level 4
iptables -A LOGGING -j DROP

# DROP ALL Except Above Rules

iptables -A INPUT -j DROP

Did this is the Right rules what i have used ? Please guide me to get fix

Here is the output of ifconfig

eth0      Link encap:Ethernet  HWaddr 7d:c4:7b:09:5f:de
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:252514 errors:0 dropped:0 overruns:0 frame:0
          TX packets:77764 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:244788646 (233.4 MiB)  TX bytes:40324395 (38.4 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1706 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1706 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:208190 (203.3 KiB)  TX bytes:208190 (203.3 KiB)

tap100i0  Link encap:Ethernet  HWaddr f2:da:h6:bb:58:c6
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:4973 errors:0 dropped:0 overruns:0 frame:0
          TX packets:70594 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:384876 (375.8 KiB)  TX bytes:103587288 (98.7 MiB)

tap101i0  Link encap:Ethernet  HWaddr h6:a3:b3:6c:54:25
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:6443 errors:0 dropped:0 overruns:0 frame:0
          TX packets:88804 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:466995 (456.0 KiB)  TX bytes:131397192 (125.3 MiB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vmbr0     Link encap:Ethernet  HWaddr ec:c4:7a:33:5f:ce
          inet addr:75.2xx.35.1xx  Bcast:62.210.72.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:135233 errors:0 dropped:0 overruns:0 frame:0
          TX packets:69678 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:235090505 (224.1 MiB)  TX bytes:39886983 (38.0 MiB)

vmbr1     Link encap:Ethernet  HWaddr d2:db:de:aa:58:c6
          inet addr:10.0.2.1  Bcast:10.0.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11400 errors:0 dropped:0 overruns:0 frame:0
          TX packets:155633 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:690831 (674.6 KiB)  TX bytes:234786750 (223.9 MiB)

Without Using any Iptables if i use only this below rules i can access the web browser of Ubuntu VM inside Proxmox host, but while trying to ssh i can't.

# Port Forwarding from Host to VM's

iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o vmbr0 -j MASQUERADE
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 10022 -j DNAT --to-destination 10.0.2.2:22
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.2.2:80
iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.2.2:443

My Need is i want to port forward from proxmox host to Every VM's in it, if Im accessing ssh or access any website i want to access any were from internet.

Thank you.