Create directory
mkdir /etc/firewall
Create initialization script
vi /etc/init_ipt.sh
#/bin/bash
HOST_IP=`ifconfig vmbr0 | head -2 | tail -1 | awk '{print $2}' | cut -d : -f 2`
## INIT
# Flush previous rules, delete chains and reset counters
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
# Default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Drop invalid state packets
iptables -A INPUT -m state --state INVALID -j DROP
# Enable statefull rules
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Enable multicast traffic
iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT ## INPUT
# Enable icmp for all
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allow all traffic from trusted sources
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
# Block traffic to host ip from all other sources
iptables -A INPUT -d $HOST_IP -j DROP
## Allow VMs traffic # Allow traffic to specific VMs from specific trusted sources
#iptables -A INPUT -s 10.0.0.1 -d 192.168.0.1 -j ACCEPT
# Allow traffic to specific VMs
#iptables -A INPUT -d 192.168.0.1 -j ACCEPT
# Allow all traffic to all VMs
iptables -A INPUT -j ACCEPT
## END
Load rules
/etc/firewall/init_ipt.sh
View and test rures
iptables -vnL --line-numbers
Save rules
iptables-save > /etc/firewall/iptables.up.rules
Create boot script
cat >> /etc/network/if-pre-up.d/iptables << "EOF"
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
#
EOF
chmod +x /etc/network/if-pre-up.d/iptables
cman keeps crashing [Archive] - Proxmox Support Forum
Proxmox Cluster and Firewall Configuration
