[iptables.sh]
#!/bin/sh
# ---------
# VARIABLES
# ---------
## Proxmox bridge holding Public IP
PrxPubVBR="vmbr0"
## Proxmox bridge on VmWanNET (PFSense WAN side)
PrxVmWanVBR="vmbr1"
## Proxmox bridge on PrivNET (PFSense LAN side)
PrxVmPrivVBR="vmbr2"
## Network/Mask of VmWanNET
VmWanNET="10.0.0.0/30"
## Network/Mmask of PrivNET
PrivNET="192.168.9.0/24"
## Network/Mmask of VpnNET
VpnNET="10.2.2.0/24"
## Public IP => Set your own
PublicIP="xx.xx.xx.xx"
## Proxmox IP on the same network than PFSense WAN (VmWanNET)
ProxVmWanIP="10.0.0.1"
## Proxmox IP on the same network than VMs
ProxVmPrivIP="192.168.9.1"
## PFSense IP used by the firewall (inside VM)
PfsVmWanIP="10.0.0.2"
# ---------------------
# CLEAN ALL & DROP IPV6
# ---------------------
### Delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
### This policy does not handle IPv6 traffic except to drop it.
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# --------------
# DEFAULT POLICY
# --------------
### Block ALL !
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
# ------
# CHAINS
# ------
### Creating chains
iptables -N TCP
iptables -N UDP
# UDP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# TCP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
# ------------
# GLOBAL RULES
# ------------
# Allow localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Don't break the current/active connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow Ping - Comment this to return timeout to ping request
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# --------------------
# RULES FOR PrxPubVBR
# --------------------
### INPUT RULES
# ---------------
# Allow SSH server
iptables -A TCP -i $PrxPubVBR -d $PublicIP -p tcp --dport 22 -j ACCEPT
# Allow Proxmox WebUI
iptables -A TCP -i $PrxPubVBR -d $PublicIP -p tcp --dport 8006 -j ACCEPT
### OUTPUT RULES
# ---------------
# Allow ping out
iptables -A OUTPUT -p icmp -j ACCEPT
### Allow LAN to access internet
iptables -A OUTPUT -o $PrxPubVBR -s $PfsVmWanIP -d $PublicIP -j ACCEPT
### Proxmox Host as CLIENT
# Allow SSH
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 22 -j ACCEPT
# Allow DNS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p udp --dport 53 -j ACCEPT
# Allow Whois
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 43 -j ACCEPT
# Allow HTTP/HTTPS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 443 -j ACCEPT
### Proxmox Host as SERVER
# Allow SSH
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --sport 22 -j ACCEPT
# Allow PROXMOX WebUI
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --sport 8006 -j ACCEPT
### FORWARD RULES
# ----------------
# Allow request forwarding to PFSense WAN interface
iptables -A FORWARD -i $PrxPubVBR -d $PfsVmWanIP -o $PrxVmWanVBR -p tcp -j ACCEPT
iptables -A FORWARD -i $PrxPubVBR -d $PfsVmWanIP -o $PrxVmWanVBR -p udp -j ACCEPT
# Allow request forwarding from LAN
iptables -A FORWARD -i $PrxVmWanVBR -s $VmWanNET -j ACCEPT
### MASQUERADE MANDATORY
# Allow WAN network (PFSense) to use vmbr0 public adress to go out
iptables -t nat -A POSTROUTING -s $VmWanNET -o $PrxPubVBR -j MASQUERADE
### Redirect (NAT) traffic from internet
# All tcp to PFSense WAN except 22, 8006
iptables -A PREROUTING -t nat -i $PrxPubVBR -p tcp --match multiport ! --dports 22,8006 -j DNAT --to $PfsVmWanIP
# All udp to PFSense WAN
iptables -A PREROUTING -t nat -i $PrxPubVBR -p udp -j DNAT --to $PfsVmWanIP
# ----------------------
# RULES FOR PrxVmWanVBR
# ----------------------
### INPUT RULES
# ---------------
# SSH (Server)
iptables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP -p tcp --dport 22 -j ACCEPT
# Proxmox WebUI (Server)
iptables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP -p tcp --dport 8006 -j ACCEPT
### OUTPUT RULES
# ---------------
# Allow SSH server
iptables -A OUTPUT -o $PrxVmWanVBR -s $ProxVmWanIP -p tcp --sport 22 -j ACCEPT
# Allow PROXMOX WebUI on Public Interface from Internet
iptables -A OUTPUT -o $PrxVmWanVBR -s $ProxVmWanIP -p tcp --sport 8006 -j ACCEPT
# -----------------------
# RULES FOR PrxVmPrivVBR
# -----------------------
# NO RULES => All blocked !!!
Let me explain why this network architecture (Internet → [vmbr0] → Proxmox Host → [vmbr1] → pfSense WAN → [vmbr2] → Internal Network) is a particularly strong design:
- Defense in Depth
Internet --> [vmbr0/First Defense] -->
Proxmox Host [Basic Filtering] -->
[vmbr1/DMZ-like] -->
pfSense [Deep Filtering] -->
[vmbr2] -->
Internal Network
This creates multiple security layers:
- Layer 1: Proxmox host basic filtering
- Layer 2: Network isolation via bridges
- Layer 3: pfSense advanced filtering
- Layer 4: Internal network segregation
- Failure Domain Isolation:
- If the pfSense VM is compromised:
- Host-level firewall still protects Proxmox
- Other VMs remain protected by bridge isolation
- If Proxmox is attacked:
- Basic ruleset prevents most attacks
- Management interface remains accessible
- pfSense provides secondary containment
- Network Segmentation Benefits:
vmbr0 (Public Bridge):
- Handles raw internet traffic
- Minimal rule set
- Only essential services exposed
vmbr1 (WAN Bridge):
- Creates DMZ-like zone
- Point-to-point connection (/30 subnet)
- Isolated from other networks
vmbr2 (Private Bridge):
- Completely isolated internal network
- No direct internet access
- Protected by both firewalls
- Performance Advantages:
- Traffic flow is optimized:
- Internet traffic hits pfSense directly
- Internal traffic stays internal
- Management traffic is separated
- Reduced overhead through:
- Efficient packet handling
- Minimal bridge hoping
- Clear traffic paths
- Management Benefits:
Proxmox Management Interface:
↑ (directly accessible)
Internet
↓ (filtered)
pfSense Management Interface
↓ (isolated)
Internal Networks
- Direct access to Proxmox management
- Secure access to pfSense interface
- Separated management planes
- Security Features:
- Double NAT capability
- Two independent firewall layers
- Network isolation at multiple points
- Separate broadcast domains
- Independent security policies
- Operational Advantages:
Maintenance scenarios:
- Can update pfSense without losing host access
- Can modify host rules without affecting VM traffic
- Can isolate networks during incidents
- Can troubleshoot layer by layer
- Scalability:
- Easy to add new internal networks
- Can create additional bridges for isolation
- Supports VLAN segmentation
- Allows for network growth
- Recovery Benefits:
If pfSense fails:
↳ Host still accessible
↳ Can rebuild firewall VM
↳ Network isolation maintained
If host rules need reset:
↳ pfSense protection remains
↳ Internal networks unaffected
↳ Can rebuild rules safely
- Advanced Features Support:
- VPN termination at pfSense
- IDS/IPS capabilities
- Traffic monitoring at multiple points
- Policy-based routing options
- Troubleshooting Clarity:
Traffic flow issues:
1. Check host rules (vmbr0)
2. Check bridge connectivity (vmbr1)
3. Check pfSense rules
4. Check internal network (vmbr2)
- Future-Proofing:
- Can add security appliances
- Supports additional VLANs
- Allows for network redesign
- Enables gradual upgrades
This setup is particularly good because it combines security, manageability, and flexibility. It provides multiple layers of protection while maintaining clear traffic flows and easy management access. The separation between host-level security and VM-level security creates a robust environment that’s both secure and maintainable.
The use of distinct bridges (vmbr0, vmbr1, vmbr2) creates clear security boundaries and traffic isolation, while the layered approach ensures that a compromise at one level doesn’t automatically mean a complete system breach. This is enterprise-grade architecture implemented in a virtualized environment.
The setup for internet → [vmbrX] → firewally/router VM → vmbr0 → rest of lan including proxmox.
this script follows @brownmagic suggestion with a clearer structure and updated for the network setup you described, where internet traffic flows through a bridge to a firewall/router VM and then to the LAN including Proxmox.
I’ve rewritten the firewall script with several improvements as per suggestion:
-
Better Organization:
- Clearly separated sections with comments
- Logical grouping of related rules
- Added echo statements for progress tracking
-
Added Safety Features:
set -e to exit on errors- Configuration persistence check
- Clearer variable names
-
Network Flow Updates:
- Adjusted for the specified traffic flow: Internet → Bridge → Firewall VM → LAN
- Separated rules for each network segment
- Maintained security while allowing necessary traffic flow
-
Key Changes:
- Renamed bridges to match your setup
- Added proper forwarding rules between bridges
- Improved NAT configuration
- Added basic security rules
To use this script:
- Edit the variables in the “Network Configuration Variables” section
- Replace
xx.xx.xx.xx with your actual public IP
- Verify the bridge names match your Proxmox configuration
- Make the script executable:
chmod +x script.sh
- Run it as root:
sudo ./script.sh
#!/bin/bash
#########################################
# Proxmox Firewall Configuration Script #
#########################################
# Exit on any error
set -e
# -----------------------------------------
# Network Configuration Variables
# -----------------------------------------
# Bridge Interfaces
WAN_BRIDGE="vmbr1" # Bridge connected to internet
FIREWALL_BRIDGE="vmbr0" # Bridge for firewall/router VM
LAN_BRIDGE="vmbr2" # Bridge for internal network
# Network Definitions
WAN_NET="10.0.0.0/30" # WAN network range
LAN_NET="192.168.9.0/24" # LAN network range
VPN_NET="10.2.2.0/24" # VPN network range (if needed)
# IP Addresses
PUBLIC_IP="xx.xx.xx.xx" # Your public IP
PROX_WAN_IP="10.0.0.1" # Proxmox IP on WAN side
PROX_LAN_IP="192.168.9.1" # Proxmox IP on LAN side
FIREWALL_WAN_IP="10.0.0.2" # Firewall VM WAN IP
# -----------------------------------------
# Cleanup Existing Rules
# -----------------------------------------
echo "Cleaning existing firewall rules..."
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Drop all IPv6 traffic
echo "Configuring IPv6 policy..."
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# -----------------------------------------
# Default Policies
# -----------------------------------------
echo "Setting default policies..."
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# -----------------------------------------
# Create Custom Chains
# -----------------------------------------
echo "Creating custom chains..."
iptables -N TCP
iptables -N UDP
# Route new connections to appropriate chains
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
# -----------------------------------------
# Basic System Rules
# -----------------------------------------
echo "Configuring basic system rules..."
# Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Maintain existing connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow ICMP (ping)
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
# -----------------------------------------
# WAN Interface Rules
# -----------------------------------------
echo "Configuring WAN interface rules..."
# Input Rules
iptables -A TCP -i $WAN_BRIDGE -d $PUBLIC_IP -p tcp --dport 22 -j ACCEPT # SSH
iptables -A TCP -i $WAN_BRIDGE -d $PUBLIC_IP -p tcp --dport 8006 -j ACCEPT # Proxmox UI
# Output Rules for Proxmox Services
iptables -A OUTPUT -o $WAN_BRIDGE -s $PUBLIC_IP -p tcp --dport 22 -j ACCEPT # SSH
iptables -A OUTPUT -o $WAN_BRIDGE -s $PUBLIC_IP -p tcp --dport 80 -j ACCEPT # HTTP
iptables -A OUTPUT -o $WAN_BRIDGE -s $PUBLIC_IP -p tcp --dport 443 -j ACCEPT # HTTPS
iptables -A OUTPUT -o $WAN_BRIDGE -s $PUBLIC_IP -p udp --dport 53 -j ACCEPT # DNS
# -----------------------------------------
# Firewall VM Bridge Rules
# -----------------------------------------
echo "Configuring Firewall bridge rules..."
# Forward traffic to Firewall VM
iptables -A FORWARD -i $WAN_BRIDGE -d $FIREWALL_WAN_IP -o $FIREWALL_BRIDGE -p tcp -j ACCEPT
iptables -A FORWARD -i $WAN_BRIDGE -d $FIREWALL_WAN_IP -o $FIREWALL_BRIDGE -p udp -j ACCEPT
# Allow forwarding from LAN
iptables -A FORWARD -i $FIREWALL_BRIDGE -s $WAN_NET -j ACCEPT
# NAT Configuration
iptables -t nat -A POSTROUTING -s $WAN_NET -o $WAN_BRIDGE -j MASQUERADE
# Redirect traffic to Firewall VM (except Proxmox services)
iptables -A PREROUTING -t nat -i $WAN_BRIDGE -p tcp --match multiport ! --dports 22,8006 -j DNAT --to $FIREWALL_WAN_IP
iptables -A PREROUTING -t nat -i $WAN_BRIDGE -p udp -j DNAT --to $FIREWALL_WAN_IP
# -----------------------------------------
# LAN Interface Rules
# -----------------------------------------
echo "Configuring LAN interface rules..."
# Allow established connections from LAN
iptables -A FORWARD -i $LAN_BRIDGE -o $WAN_BRIDGE -j ACCEPT
iptables -A FORWARD -i $LAN_BRIDGE -o $FIREWALL_BRIDGE -j ACCEPT
# -----------------------------------------
# Save Configuration
# -----------------------------------------
echo "Saving firewall configuration..."
if command -v iptables-save >/dev/null 2>&1; then
iptables-save > /etc/iptables/rules.v4
echo "Configuration saved to /etc/iptables/rules.v4"
else
echo "Warning: iptables-save not found. Rules not persisted."
fi
echo "Firewall configuration completed."
