search

jiangcuo / Proxmox-Arm64

Proxmox VE & PBS unofficial arm64 version
GNU Affero General Public License v3.0
377 stars 37 forks source link

firewall not working #11

Closed jiangcuo closed 1 year ago

jiangcuo commented 1 year ago

iptable -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
PVEFW-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
PVEFW-FORWARD  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
PVEFW-OUTPUT  all  --  anywhere             anywhere            

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain PVEFW-Drop (1 references)
target     prot opt source               destination         
PVEFW-DropBroadcast  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
DROP       all  --  anywhere             anywhere             ctstate INVALID
DROP       udp  --  anywhere             anywhere             multiport dports 135,445
DROP       udp  --  anywhere             anywhere             udp dpts:netbios-ns:139
DROP       udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
DROP       tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:1900
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere             udp spt:domain
           all  --  anywhere             anywhere             /* PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8 */

Chain PVEFW-DropBroadcast (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type ANYCAST
DROP       all  --  anywhere             base-address.mcast.net/4 
           all  --  anywhere             anywhere             /* PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */

Chain PVEFW-FORWARD (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
PVEFW-FWBR-IN  all  --  anywhere             anywhere             PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
PVEFW-FWBR-OUT  all  --  anywhere             anywhere             PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
           all  --  anywhere             anywhere             /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */

Chain PVEFW-FWBR-IN (1 references)
target     prot opt source               destination         
PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW
veth801i0-IN  all  --  anywhere             anywhere             PHYSDEV match --physdev-out veth801i0 --physdev-is-bridged
           all  --  anywhere             anywhere             /* PVESIG:wiWVRhS8/LKvniz+c5HbbSZvh7Q */

Chain PVEFW-FWBR-OUT (1 references)
target     prot opt source               destination         
veth801i0-OUT  all  --  anywhere             anywhere             PHYSDEV match --physdev-in veth801i0 --physdev-is-bridged
           all  --  anywhere             anywhere             /* PVESIG:Rp6VMTxc1JlnbhOFPEexNKRsg2k */

Chain PVEFW-HOST-IN (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW
RETURN     igmp --  anywhere             anywhere            
RETURN     icmp --  anywhere             anywhere             icmp any
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:8006
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:5900:5999
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:3128
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:ssh
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:60000:60050
RETURN     udp  --  10.13.14.1           pve2.bingsin.com     udp dpts:5404:5405
RETURN     udp  --  10.13.14.3           pve2.bingsin.com     udp dpts:5404:5405
RETURN     udp  --  10.13.14.4           pve2.bingsin.com     udp dpts:5404:5405
PVEFW-Reject  all  --  anywhere             anywhere            
NFLOG      all  --  anywhere             anywhere             limit: avg 1/sec burst 5 nflog-prefix  ":0:7:PVEFW-HOST-IN: policy REJECT: "
PVEFW-reject  all  --  anywhere             anywhere            [goto] 
           all  --  anywhere             anywhere             /* PVESIG:7qUG7NLALEEQ4kmQyphqfgk3gRU */

Chain PVEFW-HOST-OUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
RETURN     igmp --  anywhere             anywhere            
RETURN     tcp  --  anywhere             10.13.14.0/24        tcp dpt:8006
RETURN     tcp  --  anywhere             10.13.14.0/24        tcp dpt:ssh
RETURN     tcp  --  anywhere             10.13.14.0/24        tcp dpts:5900:5999
RETURN     tcp  --  anywhere             10.13.14.0/24        tcp dpt:3128
RETURN     udp  --  pve2.bingsin.com     10.13.14.1           udp dpts:5404:5405
RETURN     udp  --  pve2.bingsin.com     10.13.14.3           udp dpts:5404:5405
RETURN     udp  --  pve2.bingsin.com     10.13.14.4           udp dpts:5404:5405
RETURN     all  --  anywhere             anywhere            
           all  --  anywhere             anywhere             /* PVESIG:/ea45QRsMYvZjzNCQQo+8XQ0zn8 */

Chain PVEFW-INPUT (1 references)
target     prot opt source               destination         
PVEFW-HOST-IN  all  --  anywhere             anywhere            
           all  --  anywhere             anywhere             /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */

Chain PVEFW-OUTPUT (1 references)
target     prot opt source               destination         
PVEFW-HOST-OUT  all  --  anywhere             anywhere            
           all  --  anywhere             anywhere             /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */

Chain PVEFW-Reject (1 references)
target     prot opt source               destination         
PVEFW-DropBroadcast  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
DROP       all  --  anywhere             anywhere             ctstate INVALID
PVEFW-reject  udp  --  anywhere             anywhere             multiport dports 135,445
PVEFW-reject  udp  --  anywhere             anywhere             udp dpts:netbios-ns:139
PVEFW-reject  udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
PVEFW-reject  tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:1900
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere             udp spt:domain
           all  --  anywhere             anywhere             /* PVESIG:h3DyALVslgH5hutETfixGP08w7c */

Chain PVEFW-SET-ACCEPT-MARK (2 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK or 0x80000000
           all  --  anywhere             anywhere             /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */

Chain PVEFW-logflags (5 references)
target     prot opt source               destination         
NFLOG      all  --  anywhere             anywhere             limit: avg 1/sec burst 5 nflog-prefix  ":0:7:PVEFW-logflags: DROP: "
DROP       all  --  anywhere             anywhere            
           all  --  anywhere             anywhere             /* PVESIG:HC8CEuX2HT92HaS+8/71UerEnag */

Chain PVEFW-reject (5 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  base-address.mcast.net/4  anywhere            
DROP       icmp --  anywhere             anywhere            
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere             reject-with icmp-host-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
           all  --  anywhere             anywhere             /* PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc */

Chain PVEFW-smurflog (2 references)
target     prot opt source               destination         
NFLOG      all  --  anywhere             anywhere             limit: avg 1/sec burst 5 nflog-prefix  ":0:7:PVEFW-smurflog: DROP: "
DROP       all  --  anywhere             anywhere            
           all  --  anywhere             anywhere             /* PVESIG:ehR9MsiJdo/7X3yNWp9nxAhhZDA */

Chain PVEFW-smurfs (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0              anywhere            
PVEFW-smurflog  all  --  anywhere             anywhere            [goto]  ADDRTYPE match src-type BROADCAST
PVEFW-smurflog  all  --  base-address.mcast.net/4  anywhere            [goto] 
           all  --  anywhere             anywhere             /* PVESIG:HssVe5QCBXd5mc9kC88749+7fag */

Chain PVEFW-tcpflags (0 references)
target     prot opt source               destination         
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:SYN,RST/SYN,RST
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN/FIN,SYN
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
           all  --  anywhere             anywhere             /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */

Chain veth801i0-IN (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ACCEPT     all  --  anywhere             anywhere            
PVEFW-Drop  all  --  anywhere             anywhere            
NFLOG      all  --  anywhere             anywhere             limit: avg 1/sec burst 5 nflog-prefix  ":801:7:veth801i0-IN: policy DROP: "
DROP       all  --  anywhere             anywhere            
           all  --  anywhere             anywhere             /* PVESIG:BsU3g3/Sg6xfqpVBxS+UmZaOBeI */

Chain veth801i0-OUT (1 references)
target     prot opt source               destination         
PVEFW-SET-ACCEPT-MARK  udp  --  anywhere             anywhere            [goto]  udp spt:bootpc dpt:bootps
DROP       all  --  anywhere             anywhere             MAC !ac:bd:ef:67:8d:9b
MARK       all  --  anywhere             anywhere             MARK and 0x7fffffff
PVEFW-SET-ACCEPT-MARK  all  --  anywhere             anywhere            [goto] 
           all  --  anywhere             anywhere             /* PVESIG:7M1pxdAtWpAFV51o2YEJdtdoItI */
jiangcuo commented 1 year ago

pve-firewall compile 

root@pve2:~# pve-firewall compile 
ipset cmdlist:
exists PVEFW-0-management-v4 (j8O39qcq8i0yNRpysdeI42h3zNI)
        create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64 bucketsize 12
        add PVEFW-0-management-v4 10.13.14.0/24
exists PVEFW-0-management-v6 (6g+lzHFoCegXcweHRfBY4vRsbOc)
        create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64 bucketsize 12

iptables cmdlist:
exists PVEFW-Drop (83WlR/a4wLbmURFqMQT3uJSgIG8)
        -A PVEFW-Drop  -j PVEFW-DropBroadcast
        -A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
        -A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
        -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
        -A PVEFW-Drop -p udp --dport 137:139 -j DROP
        -A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
        -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
        -A PVEFW-Drop -p udp --dport 1900 -j DROP
        -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
        -A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
        -A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
        -A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
        -A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
        -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-IN (wiWVRhS8/LKvniz+c5HbbSZvh7Q)
        -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
        -A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out veth801i0 -j veth801i0-IN
exists PVEFW-FWBR-OUT (Rp6VMTxc1JlnbhOFPEexNKRsg2k)
        -A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in veth801i0 -j veth801i0-OUT
exists PVEFW-HOST-IN (7qUG7NLALEEQ4kmQyphqfgk3gRU)
        -A PVEFW-HOST-IN -i lo -j ACCEPT
        -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
        -A PVEFW-HOST-IN -p igmp -j RETURN
        -A PVEFW-HOST-IN -p icmp -m icmp --icmp-type any -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 60000:60050 -j RETURN
        -A PVEFW-HOST-IN -d 10.13.14.2 -s 10.13.14.1 -p udp --dport 5404:5405 -j RETURN
        -A PVEFW-HOST-IN -d 10.13.14.2 -s 10.13.14.3 -p udp --dport 5404:5405 -j RETURN
        -A PVEFW-HOST-IN -d 10.13.14.2 -s 10.13.14.4 -p udp --dport 5404:5405 -j RETURN
        -A PVEFW-HOST-IN -j PVEFW-Reject
        -A PVEFW-HOST-IN  -m limit --limit 1/sec -j NFLOG --nflog-prefix ":0:7:PVEFW-HOST-IN: policy REJECT: "
        -A PVEFW-HOST-IN -g PVEFW-reject
exists PVEFW-HOST-OUT (/ea45QRsMYvZjzNCQQo+8XQ0zn8)
        -A PVEFW-HOST-OUT -o lo -j ACCEPT
        -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-HOST-OUT -p igmp -j RETURN
        -A PVEFW-HOST-OUT -d 10.13.14.0/24 -p tcp --dport 8006 -j RETURN
        -A PVEFW-HOST-OUT -d 10.13.14.0/24 -p tcp --dport 22 -j RETURN
        -A PVEFW-HOST-OUT -d 10.13.14.0/24 -p tcp --dport 5900:5999 -j RETURN
        -A PVEFW-HOST-OUT -d 10.13.14.0/24 -p tcp --dport 3128 -j RETURN
        -A PVEFW-HOST-OUT -s 10.13.14.2 -d 10.13.14.1 -p udp --dport 5404:5405 -j RETURN
        -A PVEFW-HOST-OUT -s 10.13.14.2 -d 10.13.14.3 -p udp --dport 5404:5405 -j RETURN
        -A PVEFW-HOST-OUT -s 10.13.14.2 -d 10.13.14.4 -p udp --dport 5404:5405 -j RETURN
        -A PVEFW-HOST-OUT  -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
        -A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
        -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (h3DyALVslgH5hutETfixGP08w7c)
        -A PVEFW-Reject  -j PVEFW-DropBroadcast
        -A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
        -A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
        -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
        -A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
        -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 1900 -j DROP
        -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
        -A PVEFW-SET-ACCEPT-MARK  -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (HC8CEuX2HT92HaS+8/71UerEnag)
        -A PVEFW-logflags  -m limit --limit 1/sec -j NFLOG --nflog-prefix ":0:7:PVEFW-logflags: DROP: "
        -A PVEFW-logflags  -j DROP
exists PVEFW-reject (Jlkrtle1mDdtxDeI9QaDSL++Npc)
        -A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
        -A PVEFW-reject -s 224.0.0.0/4 -j DROP
        -A PVEFW-reject -p icmp -j DROP
        -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
        -A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
        -A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
        -A PVEFW-reject  -j REJECT --reject-with icmp-host-prohibited
exists PVEFW-smurflog (ehR9MsiJdo/7X3yNWp9nxAhhZDA)
        -A PVEFW-smurflog  -m limit --limit 1/sec -j NFLOG --nflog-prefix ":0:7:PVEFW-smurflog: DROP: "
        -A PVEFW-smurflog  -j DROP
exists PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
        -A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
        -A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
        -A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists veth801i0-IN (BsU3g3/Sg6xfqpVBxS+UmZaOBeI)
        -A veth801i0-IN -p udp --sport 67 --dport 68 -j ACCEPT
        -A veth801i0-IN  -j ACCEPT
        -A veth801i0-IN -j PVEFW-Drop
        -A veth801i0-IN  -m limit --limit 1/sec -j NFLOG --nflog-prefix ":801:7:veth801i0-IN: policy DROP: "
        -A veth801i0-IN -j DROP
exists veth801i0-OUT (7M1pxdAtWpAFV51o2YEJdtdoItI)
        -A veth801i0-OUT -p udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
        -A veth801i0-OUT -m mac ! --mac-source AC:BD:EF:67:8D:9B -j DROP
        -A veth801i0-OUT -j MARK --set-mark 0x00000000/0x80000000
        -A veth801i0-OUT  -g PVEFW-SET-ACCEPT-MARK

ip6tables cmdlist:
exists PVEFW-Drop (Jb79Uw7z1vZglIcV7QXA5uY/nbk)
        -A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
        -A PVEFW-Drop  -j PVEFW-DropBroadcast
        -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
        -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
        -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
        -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
        -A PVEFW-Drop -p udp --dport 137:139 -j DROP
        -A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
        -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
        -A PVEFW-Drop -p udp --dport 1900 -j DROP
        -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)
        -A PVEFW-DropBroadcast -d ff00::/8 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
        -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
        -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
exists PVEFW-FWBR-IN (ZUxWDqbMi/uHc6Jwz2SMABCHHUA)
        -A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out veth801i0 -j veth801i0-IN
exists PVEFW-FWBR-OUT (Rp6VMTxc1JlnbhOFPEexNKRsg2k)
        -A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in veth801i0 -j veth801i0-OUT
exists PVEFW-HOST-IN (kNDHa3oHu3YIE0QhP8Wmp0ouGdo)
        -A PVEFW-HOST-IN -i lo -j ACCEPT
        -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-solicitation -j RETURN
        -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-advertisement -j RETURN
        -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
        -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
        -A PVEFW-HOST-IN -p igmp -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 60000:60050 -j RETURN
        -A PVEFW-HOST-IN -j PVEFW-Reject
        -A PVEFW-HOST-IN  -m limit --limit 1/sec -j NFLOG --nflog-prefix ":0:7:PVEFW-HOST-IN: policy REJECT: "
        -A PVEFW-HOST-IN -g PVEFW-reject
exists PVEFW-HOST-OUT (br2bPbA9ZjuHOMNhV8tfLRw1mAs)
        -A PVEFW-HOST-OUT -o lo -j ACCEPT
        -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type router-solicitation -j RETURN
        -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
        -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
        -A PVEFW-HOST-OUT -p igmp -j RETURN
        -A PVEFW-HOST-OUT  -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
        -A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
        -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (aL1nrxJk/u3XmTb3Am2eaM/3yCM)
        -A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
        -A PVEFW-Reject  -j PVEFW-DropBroadcast
        -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
        -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
        -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
        -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
        -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
        -A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
        -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
        -A PVEFW-Reject -p udp --dport 1900 -j DROP
        -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
        -A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
        -A PVEFW-SET-ACCEPT-MARK  -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (HC8CEuX2HT92HaS+8/71UerEnag)
        -A PVEFW-logflags  -m limit --limit 1/sec -j NFLOG --nflog-prefix ":0:7:PVEFW-logflags: DROP: "
        -A PVEFW-logflags  -j DROP
exists PVEFW-reject (etEECUYcgUdzuuO+LDP83pu0S8Y)
        -A PVEFW-reject -p icmpv6 -j DROP
        -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
        -A PVEFW-reject -p udp -j REJECT --reject-with icmp6-port-unreachable
        -A PVEFW-reject  -j REJECT --reject-with icmp6-adm-prohibited
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
        -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
exists veth801i0-IN (eylwMreuhYN0bIIU+41u39WF9Ic)
        -A veth801i0-IN -p udp --sport 547 --dport 546 -j ACCEPT
        -A veth801i0-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
        -A veth801i0-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
        -A veth801i0-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
        -A veth801i0-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
        -A veth801i0-IN  -j ACCEPT
        -A veth801i0-IN -j PVEFW-Drop
        -A veth801i0-IN  -m limit --limit 1/sec -j NFLOG --nflog-prefix ":801:7:veth801i0-IN: policy DROP: "
        -A veth801i0-IN -j DROP
exists veth801i0-OUT (fCGi7gkcSjFv08/JlJQ68WwTcNA)
        -A veth801i0-OUT -p udp --sport 546 --dport 547 -g PVEFW-SET-ACCEPT-MARK
        -A veth801i0-OUT -m mac ! --mac-source AC:BD:EF:67:8D:9B -j DROP
        -A veth801i0-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
        -A veth801i0-OUT -j MARK --set-mark 0x00000000/0x80000000
        -A veth801i0-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
        -A veth801i0-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
        -A veth801i0-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
        -A veth801i0-OUT  -g PVEFW-SET-ACCEPT-MARK

ebtables cmdlist:
create PVEFW-FORWARD (ULtZ6lqjrD/jAKLY+OZo3BbXs9k)
        -A PVEFW-FORWARD -p IPv4 -j ACCEPT
        -A PVEFW-FORWARD -p IPv6 -j ACCEPT
        -A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
create PVEFW-FWBR-OUT (Oz3wY23V6zPYkpJgslECLMiUJUQ)
        -A PVEFW-FWBR-OUT -i veth801i0 -j veth801i0-OUT
create veth801i0-OUT (AZWuRqAw8jxvVxHB09krHwL4Y1Y)
        -A veth801i0-OUT -s ! ac:bd:ef:67:8d:9b -j DROP
        -A veth801i0-OUT -j ACCEPT

iptables table raw cmdlist:

ip6tables table raw cmdlist:
detected changes
jiangcuo commented 1 year ago

lsmod

root@pve2:~# lsmod
Module                  Size  Used by
bpfilter               16384  0
crct10dif_ce           16384  1
ipmi_devintf           20480  0
ipmi_msghandler        65536  1 ipmi_devintf
cppc_cpufreq           20480  0
zfs                  3035136  6
zunicode              335872  1 zfs
zzstd                 450560  1 zfs
zlua                  159744  1 zfs
zcommon                90112  1 zfs
znvpair               106496  2 zfs,zcommon
zavl                   20480  1 zfs
icp                   237568  1 zfs
spl                   106496  6 zfs,icp,zzstd,znvpair,zcommon,zavl
drm                   557056  0
fuse                  131072  5
dm_mod                131072  7
dax                    36864  1 dm_mod
nvme                   49152  1
nvme_core              94208  2 nvme
jiangcuo commented 1 year ago 
root@pve2:~# sysctl -a|grep bridge
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-filter-pppoe-tagged = 0
net.bridge.bridge-nf-filter-vlan-tagged = 0
net.bridge.bridge-nf-pass-vlan-input-dev = 0
jiangcuo commented 1 year ago 
root@pve2:~# pct config 801
arch: arm64
cmode: console
cores: 1
hostname: proxy
memory: 1024
net0: name=eth0,bridge=vmbr0,firewall=1,gw=10.13.14.254,hwaddr=AC:BD:EF:67:8D:9B,ip=10.13.14.11/24,ip6=auto,type=veth
onboot: 1
ostype: ubuntu
rootfs: local:801/vm-801-disk-0.raw,size=5G
swap: 0
jiangcuo commented 1 year ago

action1: apt autoremove docker.io && reboot

result: working.