Discussion:
[PVE-User] pve-firewall and pptp
Pavel Kolchanov
2017-03-02 21:15:13 UTC
Permalink
Hello.

I have enabled GRE and PPtP macro in firewall:

cat /etc/pve/firewall/cluster.fw
[OPTIONS]

policy_in: REJECT
enable: 1

[RULES]

GROUP vpn
GROUP basic-node

[group basic-node]

IN Ping(ACCEPT)
IN ACCEPT -p tcp -dport 8006 # Proxmox Web Interface
IN ACCEPT -p tcp -dport 22444 # SSH

[group vpn]

OUT GRE(ACCEPT)
IN GRE(ACCEPT)
IN PPtP(ACCEPT)

But still cannot connect to pptpd until executed following commands:

iptables -I INPUT -p gre -j ACCEPT
iptables -I OUTPUT -p gre -j ACCEPT

Without these commands syslog tells:
Mar 2 23:44:56 proxmox pppd[7824]: pppd 2.4.6 started by root, uid 0
Mar 2 23:44:56 proxmox pppd[7824]: using channel 16
Mar 2 23:44:56 proxmox pppd[7824]: Using interface ppp0
Mar 2 23:44:56 proxmox pppd[7824]: Connect: ppp0 <--> /dev/pts/1
Mar 2 23:44:56 proxmox pppd[7824]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5aac399d> <pcomp> <accomp>]
Mar 2 23:44:56 proxmox pptpd[7810]: GRE: xmit failed from decaps_hdlc: Operation not permitted
Mar 2 23:44:56 proxmox pptpd[7810]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Mar 2 23:44:56 proxmox pptpd[7810]: CTRL: Reaping child PPP[7824]
Mar 2 23:44:56 proxmox pppd[7824]: Modem hangup
Mar 2 23:44:56 proxmox pppd[7824]: Connection terminated.

Can be PPTP properly configured via pve-firewall?
Or those rules makes sense only for VM's, not nodes/cluster?
--
Pavel Kolchanov <***@gmail.com>
Gilberto Nunes
2017-03-03 02:02:58 UTC
Permalink
Hi
This is from PVE documents

The Proxmox VE firewall groups the network into the following logical zones:
Host

Traffic from/to a cluster node
VM

Traffic from/to a specific VM

For each zone, you can define firewall rules for incoming and/or outgoing
traffic.
Post by Pavel Kolchanov
Hello.
cat /etc/pve/firewall/cluster.fw
[OPTIONS]
policy_in: REJECT
enable: 1
[RULES]
GROUP vpn
GROUP basic-node
[group basic-node]
IN Ping(ACCEPT)
IN ACCEPT -p tcp -dport 8006 # Proxmox Web Interface
IN ACCEPT -p tcp -dport 22444 # SSH
[group vpn]
OUT GRE(ACCEPT)
IN GRE(ACCEPT)
IN PPtP(ACCEPT)
iptables -I INPUT -p gre -j ACCEPT
iptables -I OUTPUT -p gre -j ACCEPT
Mar 2 23:44:56 proxmox pppd[7824]: pppd 2.4.6 started by root, uid 0
Mar 2 23:44:56 proxmox pppd[7824]: using channel 16
Mar 2 23:44:56 proxmox pppd[7824]: Using interface ppp0
Mar 2 23:44:56 proxmox pppd[7824]: Connect: ppp0 <--> /dev/pts/1
Mar 2 23:44:56 proxmox pppd[7824]: sent [LCP ConfReq id=0x1 <asyncmap
0x0> <auth chap MS-v2> <magic 0x5aac399d> <pcomp> <accomp>]
Operation not permitted
Mar 2 23:44:56 proxmox pptpd[7810]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Mar 2 23:44:56 proxmox pptpd[7810]: CTRL: Reaping child PPP[7824]
Mar 2 23:44:56 proxmox pppd[7824]: Modem hangup
Mar 2 23:44:56 proxmox pppd[7824]: Connection terminated.
Can be PPTP properly configured via pve-firewall?
Or those rules makes sense only for VM's, not nodes/cluster?
--
_______________________________________________
pve-user mailing list
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Dietmar Maurer
2017-03-03 05:22:53 UTC
Permalink
Post by Pavel Kolchanov
Hello.
cat /etc/pve/firewall/cluster.fw
[OPTIONS]
policy_in: REJECT
enable: 1
[RULES]
GROUP vpn
GROUP basic-node
[group basic-node]
IN Ping(ACCEPT)
IN ACCEPT -p tcp -dport 8006 # Proxmox Web Interface
IN ACCEPT -p tcp -dport 22444 # SSH
[group vpn]
OUT GRE(ACCEPT)
IN GRE(ACCEPT)
IN PPtP(ACCEPT)
iptables -I INPUT -p gre -j ACCEPT
iptables -I OUTPUT -p gre -j ACCEPT
I tested here, and pve-firewall adds similar rules when you use the GRE macro.
Please test with:

# iptable-save|grep gre

Loading...