The first time I encountered this issue, it happened like this: once the Proxmox cluster firewall was enabled, the authentication mechanism of the prokvm cloud management platform would fail. The strangest part was that it was necessary to delete the “cluster.fw” file in the “/etc/pve/firewall” directory and reboot the physical server to restore normal functionality. I ran countless experiments, and packet capturing from platforms such as the virtual machine and hardware firewall all indicated authentication failure.
I determined that it was a conflict between the Proxmox firewall and the prokvm authentication mechanism.
The second time I encountered an issue, I was informed that a virtual machine could not access the cloud’s development library, while another physical machine could access it. My colleague performed packet capturing, but nothing was captured.
Later in the evening, when I had time to verify, I found that packets on port 443 could not be captured on the hardware firewall. However, packets sent out could be captured on both the physical host and virtual machine, but the returning packets could not be captured. Therefore, I again concluded that the issue was with the Proxmox cluster firewall. Deleting the `cluster.fw` file and rebooting the physical server resolved the issue.
Enabling Proxmox firewall’s debug mode still did not provide any useful information.
Later, upon reviewing historical commands, I found the following commands:
iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-ports 8006
iptables-save > /etc/iptables.up.rules
iptables-save > /etc/iptables.up.rules
echo -e ‘#!/bin/sh\n/sbin/iptables-restore < /etc/iptables.up.rules’ > /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
Reversing the operations:
rm -f /etc/network/if-pre-up.d/iptables
vi /etc/iptables.up.rules
Delete the line:
nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-ports 8006
Restart the Proxmox firewall:
pve-firewall restart
Problem resolved.
Leave a Reply