0

So I decided to play with EoIP Tunnels today on two VMs which I installed free trial RouterOS on them.

I set rules on iptables on the hypervisor (which is Proxmox) that prevents any input to vms except my pc, but my OUTPUT policy is ACCEPT.

Now I can't ping vms from anywhere except my pc and I can't ping my two vms (RouterOS) from each other, but EoIP Tunnel works fine and I'm routing packets from one RouterOS to another one.

iptables config on both vms:

IN ACCEPT -source a.b.c.d
IN DROP

(a.b.c.d is IP of my pc)

What I am doing wrong?

RouterOSs' config:

VM1:

/ip address
#   ADDRESS            NETWORK         INTERFACE                              
0   r.o.s.1/32         m.a.i.n         ether1                                 
1   172.22.22.1/30     172.22.22.0     eoiptunnel

/ip route
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
0 A S  0.0.0.0/0                          172.22.22.2               1
1 ADC  m.a.i.n/32         r.o.s.1         ether1                    0
2 ADC  172.22.22.0/30     172.22.22.1     eoiptunnel                0

VM2:

/ip address
#   ADDRESS            NETWORK         INTERFACE                              
0   r.o.s.2/32         m.a.i.n         ether1                                 
1   172.22.22.2/30     172.22.22.0     eoiptunnel

IPs:

r.o.s.1 : Router OS 1
r.o.s.2 : Router OS 2
m.a.i.n : Main Server IP

I monitor traffic on my host server by iptraf and I watched two RouterOSs are seeing each other via another interface, actually I realize that for every VM, proxmox creates 4 interfaces, therefore I assume "some" packets between two VMs which are on the same bridge go through another interface.

I must read the documentation on multiple interfaces created by proxmox upon creating each VM.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
Amin Vakil
  • 27
  • 7
  • How are you verifying your EOIP connectivity between your RouterOSs, if they cannot ping each other? – Arash Sep 11 '18 at 23:32
  • And it would be helpful to send Proxmox iptables rules. Iptables -L – Arash Sep 11 '18 at 23:33
  • @Arash I'm routing for example (4.2.2.4) to go through second RouterOS on VPN, when I block outgoing packets to 4.2.2.4, I can't ping 4.2.2.4, therefore I can verify my vpn is correct. – Amin Vakil Sep 12 '18 at 06:48

1 Answers1

1

Arguably you're doing nothing wrong.

Your iptables rules are blocking traffic into your Proxmox environment, and your two guests are talking to each other across the internal bridge.

The iptables rules won't touch bridge traffic between VMs, and that's by design. (If you routed traffic from one VM to the other via your host, or you tried to ping between a VM and the host, iptables rules would apply.)

roaima
  • 1,567
  • 13
  • 26