I'm a user of classical KVM on Linux and have recently started to work with
Proxmox on two nodes in my rack.

I have started to work with the firewall and I normally did a firewall on my
hypervisor using /etc/network/interfaces calling /etc/network/
which is a bash script of iptables.  This would filter both forwarded traffic
and traffic to the linux hypervisor.

In proxmox things are a bit different (it's still iptables/ip6tables), and I'm
attempting to use it the proxmox way by creating a security group and applying
that to the VM and the hypervisor.

I have a policy in iptables for forwared traffic below :

iptables -t filter -A INPUT -j ACCEPT --in-interface $INET_IF --protocol \
icmp --icmp-type echo-request --match limit --limit 4/s --limit-burst 3

iptables -t filter -A INPUT -j log-and-drop --in-interface $INET_IF \
--protocol icmp --icmp-type echo-request

I've attempted to set this up in the gui, but there's no option to add the
ICMP type, only IP type, and nothing for the match option.  If I add this in
the config file, it's deleted upon the next time I look at it.

I'm thinking surely there must be a way to include it, as blocking ICMP
totally will break things.

I've read the wiki and install guide, and can't really find any place to set
this up at.

Bryan Fields

727-409-1194 - Voice
pve-user mailing list

Reply via email to