On Wed, 5 Feb 2020 15:57:13 +0100 Oguz Bektas <o.bek...@proxmox.com> wrote:
> apparently sometimes users have problems reaching outside internet with > some network setups. this is the workaround a user suggested that > we should add in the wiki. Thanks for the initiative - that does come up indeed every now and then in our various support channels (and it usually takes me quite a while to find the trustworthy forum-post by Alexandre (Thanks!!), which I quote on that ;) As an optional suggestion: I would try to add some more rationale, as to why users should put those iptables rules in their firewall - (maybe: due to the way packets are processed in the processed by netfilter and the rules created by pve-firewall?) - Also the following could be worth linking in the docs (or mentioning in the commit-message): [0] https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg [1] https://lwn.net/Articles/370152/ (patch from 2010 on netdev-list introducing the conntrack zones) [2] https://blog.lobraun.de/2019/05/19/prox/ (a blog post with a good explanation, by using the TRACE target in the raw table) [3] https://forum.proxmox.com/threads/firewall-stops-vm-ct-communication-also-have-to-reboot-to-fix.59811/#post-275921 (the forum post I usually quote on those issues) > > Signed-off-by: Oguz Bektas <o.bek...@proxmox.com> > --- > pve-network.adoc | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/pve-network.adoc b/pve-network.adoc > index c61cd42..471edb4 100644 > --- a/pve-network.adoc > +++ b/pve-network.adoc > @@ -248,6 +248,15 @@ iface vmbr0 inet static > post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 > -j MASQUERADE > ---- > > +NOTE: If you have firewall enabled for your CT/VM and you're having > +connectivity problems with outgoing connections, you can add the following > +lines in the interfaces config: > + > +---- > +post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 > +post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1 > +---- > + > > Linux Bond > ~~~~~~~~~~ _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
