Foreign SSH attempts into DMZ - need a second opinion

I recently looked at the auth logs on my local LXC host, and saw two sets of malicious SSH attempts from a week ago. I already searched whois and feel confident they're bot scans, but here are the IPs in case it matters:

$ lastb
root     ssh:notty    200.94.113.90    Fri Oct 13 04:18 - 04:18  (00:00)
root     ssh:notty    200.94.113.90    Fri Oct 13 04:18 - 04:18  (00:00)
root     ssh:notty    200.94.113.90    Fri Oct 13 04:18 - 04:18  (00:00)
pi       ssh:notty    59.31.115.173    Fri Oct 13 04:10 - 04:10  (00:00)
pi       ssh:notty    59.31.115.173    Fri Oct 13 04:10 - 04:10  (00:00)
pi       ssh:notty    59.31.115.173    Fri Oct 13 04:10 - 04:10  (00:00)
pi       ssh:notty    59.31.115.173    Fri Oct 13 04:10 - 04:10  (00:00)

Thankfully I have fail2ban, strong passwords, and key-only login (just finally disabled root as well) so I'm not super concerned about a breach, but I'm absolutely stumped on how they managed to get the packets forwarded in the first place. The host is not only on its own isolated VLAN with strict firewall rules (DMZ-like), but also runs on a bare-metal Proxmox install with Input set to drop on all of those firewalls as well.

My topology looks like this:

ISP Modem -> OpenWRT Router -> LAN / WLAN (VLAN 5)
                            \
                             -> Proxmox (VLAN 10)
                             |
                             -> LXC Host (VLAN 100)

...and my configs:

# cat /etc/config/network                   

config interface 'loopback'
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'XXXXXXXXXX'

config device
    option name 'br-lan'
    option type 'bridge'
    option ipv6 '0'
    list ports 'eth0.10'
    list ports 'eth0.5'

config interface 'lan'
    option device 'br-lan'
    option proto 'static'
    option netmask '255.255.255.0'
    option ipaddr '10.7.42.1'
    option delegate '0'

config device
    option name 'eth0.2'
    option macaddr 'XX:XX:XX:XX:XX:XX'
    option ipv6 '0'

config interface 'wan'
    option device 'eth0.2'
    option proto 'dhcp'
    option peerdns '0'
    list dns '1.1.1.1'
    list dns '8.8.8.8'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0t 2 4 5'
    option vid '5'
    option description 'LAN'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0t 1'
    option vid '2'
    option description 'WAN'

config switch_vlan
    option device 'switch0'
    option vlan '3'
    option vid '10'
    option ports '0t 3t'
    option description 'Proxmox'

config switch_vlan
    option device 'switch0'
    option vlan '4'
    option vid '100'
    option description 'LXC'
    option ports '0t 3t'

config device
    option name 'eth0.100'
    option type '8021q'
    option ifname 'eth0'
    option vid '100'
    option ipv6 '0'

config device
    option name 'eth0'
    option ipv6 '0'

config interface 'DMZ'
    option proto 'static'
    option ipaddr '10.10.10.1'
    option netmask '255.255.255.0'
    option device 'br-dmz'
    option delegate '0'

config device
    option type 'bridge'
    option name 'br-dmz'
    option ipv6 '0'
    list ports 'eth0.100'

config device
    option name 'eth0.10'
    option type '8021q'
    option ifname 'eth0'
    option vid '10'
    option ipv6 '0'

config device
    option name 'eth0.5'
    option type '8021q'
    option ifname 'eth0'
    option vid '5'
    option ipv6 '0'

config device
    option name 'wlan0'
    option ipv6 '0'

config device
    option name 'wlan1'
    option ipv6 '0'
# cat /etc/config/firewall

config defaults
    option output 'ACCEPT'
    option synflood_protect '1'
    option input 'ACCEPT'
    option forward 'REJECT'
    option flow_offloading '1'

config zone
    option name 'lan'
    option output 'ACCEPT'
    option input 'ACCEPT'
    option log '1'
    option family 'ipv4'
    list network 'lan'
    option forward 'ACCEPT'

config zone
    option name 'dmz'
    option log '1'
    option family 'ipv4'
    option output 'ACCEPT'
    option forward 'REJECT'
    option input 'REJECT'
    list network 'DMZ'

config zone
    option name 'wan'
    option output 'ACCEPT'
    option mtu_fix '1'
    list network 'wan'
    option masq '1'
    option family 'ipv4'
    option input 'DROP'
    option forward 'DROP'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option family 'ipv4'
    list icmp_type 'echo-request'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'
    option enabled '0'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'
    option enabled '0'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'
    option enabled '0'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'
    option enabled '0'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config rule
    option name 'Support-UDP-Traceroute'
    option src 'wan'
    option dest_port '33434:33689'
    option proto 'udp'
    option family 'ipv4'
    option target 'REJECT'
    option enabled '0'

config include
    option path '/etc/firewall.user'

config forwarding
    option src 'dmz'
    option dest 'wan'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest_ip '10.10.10.10'
    option src_dport '80'
    option dest_port '80'
    option dest 'dmz'
    list proto 'tcp'
    option name 'WAN-DMZ-HTTP'
    option enabled '0'

config rule
    option src 'dmz'
    option dest_port '53'
    option target 'ACCEPT'
    option name 'DMZ-DNS'
    list dest_ip '10.10.10.1'
    list proto 'tcp'
    list proto 'udp'
    option family 'ipv4'

config rule
    option name 'DMZ-DHCP'
    option src 'dmz'
    option dest_port '67'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'DMZ-Ping'
    list proto 'icmp'
    option src 'dmz'
    option target 'ACCEPT'
    option family 'ipv4'
    list dest_ip '10.10.10.1'

config redirect
    option target 'DNAT'
    option src 'wan'
    option src_dport '443'
    option dest_ip '10.10.10.10
    list proto 'tcp'
    option dest 'dmz'
    option dest_port '443'
    option name 'WAN-DMZ-HTTPS'
    option enabled '0'

config forwarding
    option src 'lan'
    option dest 'dmz'

From as much as I've learned so far, I don't believe these kind of connections should ever reach the DMZ, but I'm obviously wrong. Please let me know if I've missed anything, and I can provide Proxmox configs if necessary. Thanks, and I'm glad to be here making my first post! OpenWRT has been a dream so far <3

EDIT - added private IPs

  • Is there a reason your hiding private IPs?
  • Why do you bridge 2 VLANs together?
  • Why different VIDs?
  • What is the DST IP of the SSH server?
  • Why do your zone rules have an IPv4 family config?
2 Likes

I thought I had seen other people obfuscate similar information here before, but that may have just been MAC addresses now that I think about it - also, I'm a bit paranoid but that was probably not necessary, I'll edit the OP.

I don't recall when I did that, I believe I did it because when I enabled VLANs in LuCI the default eth0.X interfaces were added to the LAN bridge - I may be wrong. How would you normally configure that setup?

I change all configurations through LuCI so I'm not entirely sure. What should they be?

It's IP is 10.10.10.10 in the subnet 10.10.10.0/24.

I disabled all IPv6 functions wherever I saw them, mainly because I don't have the time right now to set up that infrastructure. Those specific configs came from a suggestion on another post, and I just assumed since I'm not handling any IPv6 traffic in/out that safe to choose. Am I wrong in thinking that? I will admit that I still have a lot to learn so I'm absolutely open to any and all suggestions!

1 Like

The problem is that it's not clear why you configured them to be mismatched. Nonetheless, if you made these configs via LuCI, you could have simply left them blank.

Normally, you won't segregate the system/network by VLANs then bridge 2 VLANs together. So again, the problem is it's not clear why you create two VLANs, then proceed to [re]combine them into one network.

I would never disable any part of the firewall. I understand you don't [wish to] use IPv6 - but I don't understand why you fail to firewall IPv6.

It's not clear why you made these configs, so it's difficult to suggest changes. Perhaps you could describe the intended setup, and we could provide suggestions.

2 Likes

I could've clarified more on that, sorry. What I do know is that I did not input any VID option for any of the interfaces, as far as I know LuCI does not show that as an option in the first place. I cannot find an option for it on the interfaces, individual devices, or in the switch configuration. Therefore the ones that are in the configuration file must have been automatically generated for some reason.

I wish I had given that more thought, it's now obvious to me that I do not need two VLANs - 5 and 10 - in the first place. Thank you for pointing that out.

I understand what you mean, I guess I did not consider the true implications of those settings. At the time I thought of it as only ACCEPTING IPv4 traffic, not dropping the firewalls for IPv6. That is definitely what I get for blindly following advice on the forum without checking the docs first :face_exhaling:

I apologize for any confusion throughout this process, I was very much trying to avoid being "that guy" that dumps information without stating my motives in the first place - thank you very much for your patience.

What I am trying to achieve in the end is this:

  • The LAN zone should include my dumb AP (port 2), the Proxmox host (port 3), and the two WLAN devices. I trust all devices in this zone so I believe the firewall rules are appropriate there.
  • The DMZ zone should be exclusively for the LXC host running in Proxmox. It should have access to the internet so that Docker containers can download necessary assets and pull updated images from the Docker registry, but should not be initiating connections otherwise, other than DNS requests, DHCP (although I intend to only serve static leases in this zone, so that may be unnecessary?), and Tailscale/Wireguard traffic.
  • I need to be able to access the LXC and any future hosts in the DMZ from the LAN without restriction. I use Tailscale as a VPN for when I'm out of the house to access services on the LXC, and it is fairly unpredictable in what dport it uses to initiate connections with more than one node, so I'd rather not restrict forwarding to the DMZ until I can figure out how to get it to use a consistent range of ports (UDP 41641-41645 for example).

I hope all of that makes sense, I unfortunately haven't learned how to communicate issues like this effectively yet. I have also been working and tinkering with this for probably a month straight, so my brain feels like mush. I should probably take more breaks :sleepy: Also, I originally set most of this up months ago, then got too busy to maintain it until about a month ago... It feels like I'm relearning all of this all over again, and building on top of a poorly-built foundation. I have no one to blame but myself :stuck_out_tongue:

If you have any other questions please let me know, and again I really appreciate your patience and insight so far.

Check the runtime firewall config:

nft list ruleset
2 Likes

Have you thought about also installing croudsec to your server or even router for an extra layer of protection?

1 Like

I'm still on OpenWRT 21.02 so I use iptables, but here is how they look:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
input_rule  all  --  anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_dmz_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination         
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
FLOWOFFLOAD  all  --  anywhere             anywhere             /* !fw3: Traffic offloading */ ctstate RELATED,ESTABLISHED FLOWOFFLOAD
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_dmz_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
output_rule  all  --  anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_dmz_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */

Chain forwarding_dmz_rule (1 references)
target     prot opt source               destination         

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination         

Chain forwarding_rule (1 references)
target     prot opt source               destination         

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination         

Chain input_dmz_rule (1 references)
target     prot opt source               destination         

Chain input_lan_rule (1 references)
target     prot opt source               destination         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain input_wan_rule (1 references)
target     prot opt source               destination         

Chain output_dmz_rule (1 references)
target     prot opt source               destination         

Chain output_lan_rule (1 references)
target     prot opt source               destination         

Chain output_rule (1 references)
target     prot opt source               destination         

Chain output_wan_rule (1 references)
target     prot opt source               destination         

Chain reject (3 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP       all  --  anywhere             anywhere             /* !fw3 */

Chain zone_dmz_dest_ACCEPT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_dmz_dest_REJECT (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 10/sec burst 5 /* !fw3 */ LOG level warning prefix "REJECT dmz out: "
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_dmz_forward (1 references)
target     prot opt source               destination         
forwarding_dmz_rule  all  --  anywhere             anywhere             /* !fw3: Custom dmz forwarding rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone dmz to wan forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_dmz_dest_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_dmz_input (1 references)
target     prot opt source               destination         
input_dmz_rule  all  --  anywhere             anywhere             /* !fw3: Custom dmz input rule chain */
ACCEPT     tcp  --  anywhere             A7WRT.lan            tcp dpt:domain /* !fw3: DMZ-DNS */
ACCEPT     udp  --  anywhere             A7WRT.lan            udp dpt:domain /* !fw3: DMZ-DNS */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps /* !fw3: DMZ-DHCP */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps /* !fw3: DMZ-DHCP */
ACCEPT     icmp --  anywhere             A7WRT.lan            /* !fw3: DMZ-Ping */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:41641 /* !fw3: DMZ-Tailscale */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:54802 /* !fw3: DMZ-Wireguard */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:44517 /* !fw3: Test */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_dmz_src_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_dmz_output (1 references)
target     prot opt source               destination         
output_dmz_rule  all  --  anywhere             anywhere             /* !fw3: Custom dmz output rule chain */
zone_dmz_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_dmz_src_REJECT (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 10/sec burst 5 /* !fw3 */ LOG level warning prefix "REJECT dmz in: "
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
target     prot opt source               destination         
forwarding_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
zone_dmz_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to dmz forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
target     prot opt source               destination         
input_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
target     prot opt source               destination         
output_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (3 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_DROP (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
target     prot opt source               destination         
forwarding_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_wan_dest_DROP  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
target     prot opt source               destination         
input_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan input rule chain */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* !fw3: Allow-IGMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_DROP  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
target     prot opt source               destination         
output_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_DROP (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* !fw3 */

That does look promising! However, I would like to avoid adding more services to my maintenance list for now (it's just me administrating) until I make sure I don't have any fundamental issues with my router. Thank you for suggesting it, I will keep it in mind!


I changed a few things in the meantime (@lleachii):

  • reset the firewall rules back to IPv4 and IPv6
  • migrated ports from VLAN 5 to VLAN 10, and removed VLAN 5 entirely. no more bridged VLANs on the same interface! :slight_smile:

Regarding the VID config, it seems the reason for the mismatch is because there actually IS an option for VID when creating a VLAN device in LuCI, but NOT for the actual VLAN option. It seems that the VLAN option is generated by LuCI, starting at 1 and incrementing for each new device. The setting may not matter at all, according to this user it is simply a hardware index to keep track of devices:

The docs do not directly say this, but there isn't even an option to define VLAN in this section for driver-level VLANs, only VID:

I do not plan on changing the setting unless someone can tell me what this "mismatch" would affect, since LuCI input these values automatically this must be intended behavior, or everyone else's routers would be broken :sweat_smile:

# swconfig dev switch0 help
switch0: mdio.0(Atheros AR8337), ports: 7 (cpu @ 0), vlans: 4096

As for the SSH attempts, I'm still very curious. Assuming my VPN is not breached (highly unlikely), I just cannot see how they could initiate connections through WAN > Router > DMZ > Server with this configuration. Unless I'm just missing something completely? :confused:

The above output is unrelated to NAT, check this:

iptables-save; ip6tables-save

@vgaetera sorry for the delay, here is the output:

# iptables-save
# Generated by iptables-save v1.8.7 on Mon Oct 23 14:12:43 2023
*nat
:PREROUTING ACCEPT [87643:13907590]
:INPUT ACCEPT [23097:1614041]
:OUTPUT ACCEPT [15188:1126680]
:POSTROUTING ACCEPT [184:18687]
:postrouting_dmz_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_dmz_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_dmz_postrouting - [0:0]
:zone_dmz_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-dmz -m comment --comment "!fw3" -j zone_dmz_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-dmz -m comment --comment "!fw3" -j zone_dmz_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_dmz_postrouting -m comment --comment "!fw3: Custom dmz postrouting rule chain" -j postrouting_dmz_rule
-A zone_dmz_prerouting -m comment --comment "!fw3: Custom dmz prerouting rule chain" -j prerouting_dmz_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Mon Oct 23 14:12:43 2023
# Generated by iptables-save v1.8.7 on Mon Oct 23 14:12:43 2023
*mangle
:PREROUTING ACCEPT [614107:75811024]
:INPUT ACCEPT [79191:8077018]
:FORWARD ACCEPT [526881:66391383]
:OUTPUT ACCEPT [69693:11446894]
:POSTROUTING ACCEPT [591460:77551014]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Oct 23 14:12:43 2023
# Generated by iptables-save v1.8.7 on Mon Oct 23 14:12:43 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_dmz_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_dmz_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_dmz_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_dmz_dest_ACCEPT - [0:0]
:zone_dmz_dest_REJECT - [0:0]
:zone_dmz_forward - [0:0]
:zone_dmz_input - [0:0]
:zone_dmz_output - [0:0]
:zone_dmz_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-dmz -m comment --comment "!fw3" -j zone_dmz_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-dmz -m comment --comment "!fw3" -j zone_dmz_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-dmz -m comment --comment "!fw3" -j zone_dmz_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_dmz_dest_ACCEPT -o br-dmz -m comment --comment "!fw3" -j ACCEPT
-A zone_dmz_dest_REJECT -o br-dmz -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT dmz out: "
-A zone_dmz_dest_REJECT -o br-dmz -m comment --comment "!fw3" -j reject
-A zone_dmz_forward -m comment --comment "!fw3: Custom dmz forwarding rule chain" -j forwarding_dmz_rule
-A zone_dmz_forward -m comment --comment "!fw3: Zone dmz to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_dmz_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_dmz_forward -m comment --comment "!fw3" -j zone_dmz_dest_REJECT
-A zone_dmz_input -m comment --comment "!fw3: Custom dmz input rule chain" -j input_dmz_rule
-A zone_dmz_input -d 10.10.10.1/32 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: DMZ-DNS" -j ACCEPT
-A zone_dmz_input -d 10.10.10.1/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: DMZ-DNS" -j ACCEPT
-A zone_dmz_input -p tcp -m tcp --dport 67 -m comment --comment "!fw3: DMZ-DHCP" -j ACCEPT
-A zone_dmz_input -p udp -m udp --dport 67 -m comment --comment "!fw3: DMZ-DHCP" -j ACCEPT
-A zone_dmz_input -d 10.10.10.1/32 -p icmp -m comment --comment "!fw3: DMZ-Ping" -j ACCEPT
-A zone_dmz_input -p udp -m udp --dport 41641 -m comment --comment "!fw3: DMZ-Tailscale" -j ACCEPT
-A zone_dmz_input -p udp -m udp --dport 54802 -m comment --comment "!fw3: DMZ-Wireguard" -j ACCEPT
-A zone_dmz_input -p udp -m udp --dport 44517 -m comment --comment "!fw3: Test" -j ACCEPT
-A zone_dmz_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_dmz_input -m comment --comment "!fw3" -j zone_dmz_src_REJECT
-A zone_dmz_output -m comment --comment "!fw3: Custom dmz output rule chain" -j output_dmz_rule
-A zone_dmz_output -m comment --comment "!fw3" -j zone_dmz_dest_ACCEPT
-A zone_dmz_src_REJECT -i br-dmz -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT dmz in: "
-A zone_dmz_src_REJECT -i br-dmz -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to dmz forwarding policy" -j zone_dmz_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_DROP -o eth0.2 -m comment --comment "!fw3" -j DROP
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_DROP
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_DROP -i eth0.2 -m comment --comment "!fw3" -j DROP
COMMIT
# Completed on Mon Oct 23 14:12:43 2023
1 Like

What method are you using to install/upgrade the containers/VMs?
If you deploy pre-built images, they may include some logs.

1 Like

I currently use Portainer to orchestrate everything on the host, including updating images. I do use pre-built images for all of the containers - I already looked at all of their logs, nothing even slightly suspicious there. No sketchy image sources that I don't trust, either.

In hindsight, I wish I had deployed some logging rules for at least SSH in iptables. Knowing where the packet originated from and how it got forwarded would be very helpful right now. Nothing in the Proxmox logs either as it was only logging dropped packets.

The only route I can think of that the packet took looks like:

WAN > DNAT to DMZ Router > Host

Unless I'm missing something here, because I have no DNAT rules active (especially for SSH as that's not worth the risk), the host should not be exposed to that kind of traffic at all. Same situation with Proxmox, the firewall rules look like this if you're interested (veth200i0-IN/OUT chains apply to the host I'm speaking of):

iptables
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
PVEFW-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
PVEFW-FORWARD  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
PVEFW-OUTPUT  all  --  anywhere             anywhere            

Chain PVEFW-Drop (1 references)
target     prot opt source               destination         
PVEFW-DropBroadcast  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
DROP       all  --  anywhere             anywhere             ctstate INVALID
DROP       udp  --  anywhere             anywhere             multiport dports 135,445
DROP       udp  --  anywhere             anywhere             udp dpts:netbios-ns:139
DROP       udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
DROP       tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:1900
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere             udp spt:domain
           all  --  anywhere             anywhere             /* PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8 */

Chain PVEFW-DropBroadcast (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type ANYCAST
DROP       all  --  anywhere             base-address.mcast.net/4 
           all  --  anywhere             anywhere             /* PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */

Chain PVEFW-FORWARD (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
PVEFW-FWBR-IN  all  --  anywhere             anywhere             PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
PVEFW-FWBR-OUT  all  --  anywhere             anywhere             PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
           all  --  anywhere             anywhere             /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */

Chain PVEFW-FWBR-IN (1 references)
target     prot opt source               destination         
PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW
veth200i0-IN  all  --  anywhere             anywhere             PHYSDEV match --physdev-out veth200i0 --physdev-is-bridged
           all  --  anywhere             anywhere             /* PVESIG:SBGYVUe99dtTpBJ6xV3B2HDj3Lw */

Chain PVEFW-FWBR-OUT (1 references)
target     prot opt source               destination         
veth200i0-OUT  all  --  anywhere             anywhere             PHYSDEV match --physdev-in veth200i0 --physdev-is-bridged
           all  --  anywhere             anywhere             /* PVESIG:ApqYC8Mr6OHSTxW5msAxdGTqxrY */

Chain PVEFW-HOST-IN (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW
RETURN     igmp --  anywhere             anywhere            
RETURN     icmp --  anywhere             pve.local  match-set PVEFW-0-private-lan-ips-v4 src icmp echo-request
RETURN     icmp --  10.10.10.10          portainer.local  icmp echo-request
RETURN     udp  --  10.10.10.10          portainer.local  udp dpt:domain
RETURN     tcp  --  10.10.10.10          portainer.local  tcp dpt:domain
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:8006
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:5900:5999
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:3128
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:ssh
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:60000:60050
PVEFW-Drop  all  --  anywhere             anywhere            
NFLOG      all  --  anywhere             anywhere             limit: avg 1/sec burst 5 nflog-prefix  ":0:7:PVEFW-HOST-IN: policy DROP: "
DROP       all  --  anywhere             anywhere            
           all  --  anywhere             anywhere             /* PVESIG:LQbGX0eloG+WCm5NM4xQsddi4d4 */

Chain PVEFW-HOST-OUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
RETURN     igmp --  anywhere             anywhere            
RETURN     tcp  --  anywhere             10.7.42.0/24         tcp dpt:8006
RETURN     tcp  --  anywhere             10.7.42.0/24         tcp dpt:ssh
RETURN     tcp  --  anywhere             10.7.42.0/24         tcp dpts:5900:5999
RETURN     tcp  --  anywhere             10.7.42.0/24         tcp dpt:3128
RETURN     all  --  anywhere             anywhere            
           all  --  anywhere             anywhere             /* PVESIG:5uGFcVsj1KxtwFx1iWX8nx9gmw8 */

Chain PVEFW-INPUT (1 references)
target     prot opt source               destination         
PVEFW-HOST-IN  all  --  anywhere             anywhere            
           all  --  anywhere             anywhere             /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */

Chain PVEFW-OUTPUT (1 references)
target     prot opt source               destination         
PVEFW-HOST-OUT  all  --  anywhere             anywhere            
           all  --  anywhere             anywhere             /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */

Chain PVEFW-Reject (1 references)
target     prot opt source               destination         
PVEFW-DropBroadcast  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
DROP       all  --  anywhere             anywhere             ctstate INVALID
PVEFW-reject  udp  --  anywhere             anywhere             multiport dports 135,445
PVEFW-reject  udp  --  anywhere             anywhere             udp dpts:netbios-ns:139
PVEFW-reject  udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
PVEFW-reject  tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:1900
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere             udp spt:domain
           all  --  anywhere             anywhere             /* PVESIG:h3DyALVslgH5hutETfixGP08w7c */

Chain PVEFW-SET-ACCEPT-MARK (2 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK or 0x80000000
           all  --  anywhere             anywhere             /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */

Chain PVEFW-logflags (5 references)
target     prot opt source               destination         
NFLOG      all  --  anywhere             anywhere             limit: avg 1/sec burst 5 nflog-prefix  ":0:6:PVEFW-logflags: DROP: "
DROP       all  --  anywhere             anywhere            
           all  --  anywhere             anywhere             /* PVESIG:3UjKviTKl2xDmoLvcZjFtc0vR7k */

Chain PVEFW-reject (9 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  base-address.mcast.net/4  anywhere            
DROP       icmp --  anywhere             anywhere            
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere             reject-with icmp-host-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
           all  --  anywhere             anywhere             /* PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc */

Chain PVEFW-smurflog (2 references)
target     prot opt source               destination         
NFLOG      all  --  anywhere             anywhere             limit: avg 1/sec burst 5 nflog-prefix  ":0:6:PVEFW-smurflog: DROP: "
DROP       all  --  anywhere             anywhere            
           all  --  anywhere             anywhere             /* PVESIG:JhBBKO0ZdEYs+TntUvpoaDnKPVY */

Chain PVEFW-smurfs (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0              anywhere            
PVEFW-smurflog  all  --  anywhere             anywhere            [goto]  ADDRTYPE match src-type BROADCAST
PVEFW-smurflog  all  --  base-address.mcast.net/4  anywhere            [goto] 
           all  --  anywhere             anywhere             /* PVESIG:HssVe5QCBXd5mc9kC88749+7fag */

Chain PVEFW-tcpflags (0 references)
target     prot opt source               destination         
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:SYN,RST/SYN,RST
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN/FIN,SYN
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
           all  --  anywhere             anywhere             /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */

Chain veth200i0-IN (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ACCEPT     tcp  --  anywhere             10.10.10.10          match-set PVEFW-0-private-lan-ips-v4 src tcp dpt:9443
ACCEPT     udp  --  anywhere             10.10.10.10          udp spt:54802
ACCEPT     udp  --  anywhere             10.10.10.10          udp spt:41641
ACCEPT     icmp --  anywhere             10.10.10.0/24        match-set PVEFW-0-private-lan-ips-v4 src icmp echo-request
ACCEPT     tcp  --  anywhere             10.10.10.10          match-set PVEFW-0-private-lan-ips-v4 src tcp dpt:ssh
ACCEPT     tcp  --  anywhere             10.10.10.0/24        match-set PVEFW-0-private-lan-ips-v4 src tcp dpt:81
ACCEPT     tcp  --  anywhere             10.10.10.0/24        match-set PVEFW-0-private-lan-ips-v4 src tcp dpt:http
ACCEPT     tcp  --  anywhere             10.10.10.0/24        match-set PVEFW-0-private-lan-ips-v4 src tcp dpt:https
PVEFW-Reject  all  --  anywhere             anywhere            
NFLOG      all  --  anywhere             anywhere             limit: avg 1/sec burst 5 nflog-prefix  ":200:7:veth200i0-IN: policy REJECT: "
PVEFW-reject  all  --  anywhere             anywhere            [goto] 
           all  --  anywhere             anywhere             /* PVESIG:TTWl+Du1RZjDcfqKQUdaW0imZhw */

Chain veth200i0-OUT (1 references)
target     prot opt source               destination         
PVEFW-SET-ACCEPT-MARK  udp  --  anywhere             anywhere            [goto]  udp spt:bootpc dpt:bootps
DROP       all  --  anywhere             anywhere             MAC !76:a9:67:3f:bb:bc
MARK       all  --  anywhere             anywhere             MARK and 0x7fffffff
PVEFW-reject  udp  --  10.10.10.10          anywhere             udp dpt:60931
PVEFW-reject  udp  --  10.10.10.10          anywhere             udp dpt:46738
PVEFW-reject  udp  --  10.10.10.10          anywhere             udp dpt:1900
PVEFW-reject  udp  --  10.10.10.10          anywhere             udp dpt:5351
PVEFW-SET-ACCEPT-MARK  all  --  anywhere             anywhere            [goto] 
           all  --  anywhere             anywhere             /* PVESIG:VwdqcAdktBHhq6e0zupjNgmpE4c */
iptables-save
# iptables-save
# Generated by iptables-save v1.8.7 on Mon Oct 23 15:36:48 2023
*filter
:INPUT ACCEPT [94:5788]
:FORWARD ACCEPT [317:24240]
:OUTPUT ACCEPT [50:3480]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:veth200i0-IN - [0:0]
:veth200i0-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out veth200i0 --physdev-is-bridged -j veth200i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:SBGYVUe99dtTpBJ6xV3B2HDj3Lw"
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth200i0 --physdev-is-bridged -j veth200i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:ApqYC8Mr6OHSTxW5msAxdGTqxrY"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -d 10.7.42.3/32 -p icmp -m set --match-set PVEFW-0-private-lan-ips-v4 src -m icmp --icmp-type 8 -j RETURN
-A PVEFW-HOST-IN -s 10.10.10.10/32 -d 10.10.10.1/32 -i vmbr0.100 -p icmp -m icmp --icmp-type 8 -j RETURN
-A PVEFW-HOST-IN -s 10.10.10.10/32 -d 10.10.10.1/32 -i vmbr0.100 -p udp -m udp --dport 53 -j RETURN
-A PVEFW-HOST-IN -s 10.10.10.10/32 -d 10.10.10.1/32 -i vmbr0.100 -p tcp -m tcp --dport 53 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:7:PVEFW-HOST-IN: policy DROP: "
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:LQbGX0eloG+WCm5NM4xQsddi4d4"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 10.7.42.0/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 10.7.42.0/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 10.7.42.0/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 10.7.42.0/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:5uGFcVsj1KxtwFx1iWX8nx9gmw8"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:h3DyALVslgH5hutETfixGP08w7c"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-logflags: DROP: "
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:3UjKviTKl2xDmoLvcZjFtc0vR7k"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-smurflog: DROP: "
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:JhBBKO0ZdEYs+TntUvpoaDnKPVY"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A veth200i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth200i0-IN -d 10.10.10.10/32 -p tcp -m set --match-set PVEFW-0-private-lan-ips-v4 src -m tcp --dport 9443 -j ACCEPT
-A veth200i0-IN -d 10.10.10.10/32 -p udp -m udp --sport 54802 -j ACCEPT
-A veth200i0-IN -d 10.10.10.10/32 -p udp -m udp --sport 41641 -j ACCEPT
-A veth200i0-IN -d 10.10.10.0/24 -p icmp -m set --match-set PVEFW-0-private-lan-ips-v4 src -m icmp --icmp-type 8 -j ACCEPT
-A veth200i0-IN -d 10.10.10.10/32 -p tcp -m set --match-set PVEFW-0-private-lan-ips-v4 src -m tcp --dport 22 -j ACCEPT
-A veth200i0-IN -d 10.10.10.0/24 -p tcp -m set --match-set PVEFW-0-private-lan-ips-v4 src -m tcp --dport 81 -j ACCEPT
-A veth200i0-IN -d 10.10.10.0/24 -p tcp -m set --match-set PVEFW-0-private-lan-ips-v4 src -m tcp --dport 80 -j ACCEPT
-A veth200i0-IN -d 10.10.10.0/24 -p tcp -m set --match-set PVEFW-0-private-lan-ips-v4 src -m tcp --dport 443 -j ACCEPT
-A veth200i0-IN -j PVEFW-Reject
-A veth200i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":200:7:veth200i0-IN: policy REJECT: "
-A veth200i0-IN -g PVEFW-reject
-A veth200i0-IN -m comment --comment "PVESIG:TTWl+Du1RZjDcfqKQUdaW0imZhw"
-A veth200i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth200i0-OUT -m mac ! --mac-source 76:a9:67:3f:bb:bc -j DROP
-A veth200i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth200i0-OUT -s 10.10.10.10/32 -p udp -m udp --dport 60931 -j PVEFW-reject
-A veth200i0-OUT -s 10.10.10.10/32 -p udp -m udp --dport 46738 -j PVEFW-reject
-A veth200i0-OUT -s 10.10.10.10/32 -p udp -m udp --dport 1900 -j PVEFW-reject
-A veth200i0-OUT -s 10.10.10.10/32 -p udp -m udp --dport 5351 -j PVEFW-reject
-A veth200i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth200i0-OUT -m comment --comment "PVESIG:VwdqcAdktBHhq6e0zupjNgmpE4c"
COMMIT
# Completed on Mon Oct 23 15:36:48 2023
# Generated by iptables-save v1.8.7 on Mon Oct 23 15:36:48 2023
*nat
:PREROUTING ACCEPT [516136:51341177]
:INPUT ACCEPT [4568:274240]
:OUTPUT ACCEPT [8869:589886]
:POSTROUTING ACCEPT [258508:19053327]
-A POSTROUTING -s 10.7.1.0/24 -o vmbr0 -j MASQUERADE
-A POSTROUTING -s 10.7.1.0/24 -o vmbr0 -j MASQUERADE
-A POSTROUTING -s 10.7.1.0/24 -o vmbr0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 23 15:36:48 2023
# Generated by iptables-save v1.8.7 on Mon Oct 23 15:36:48 2023
*raw
:PREROUTING ACCEPT [11120791:3631548546]
:OUTPUT ACCEPT [342124:167009570]
-A PREROUTING -s 10.7.1.0/24 -i vmbr0 -j CT --zone 1
-A PREROUTING -s 10.7.1.0/24 -i vmbr0 -j CT --zone 1
-A PREROUTING -s 10.7.1.0/24 -i vmbr0 -j CT --zone 1
COMMIT
# Completed on Mon Oct 23 15:36:48 2023

Ran out of room quickly, now I know the character limit of 30k I guess :stuck_out_tongue:

ip6tables
# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
PVEFW-INPUT  all      anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
PVEFW-FORWARD  all      anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
PVEFW-OUTPUT  all      anywhere             anywhere            

Chain PVEFW-Drop (1 references)
target     prot opt source               destination         
PVEFW-reject  tcp      anywhere             anywhere             tcp dpt:whois
PVEFW-DropBroadcast  all      anywhere             anywhere            
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp destination-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp time-exceeded
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp packet-too-big
DROP       all      anywhere             anywhere             ctstate INVALID
DROP       udp      anywhere             anywhere             multiport dports 135,445
DROP       udp      anywhere             anywhere             udp dpts:netbios-ns:139
DROP       udp      anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
DROP       tcp      anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds
DROP       udp      anywhere             anywhere             udp dpt:1900
DROP       tcp      anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp      anywhere             anywhere             udp spt:domain
           all      anywhere             anywhere             /* PVESIG:Jb79Uw7z1vZglIcV7QXA5uY/nbk */

Chain PVEFW-DropBroadcast (2 references)
target     prot opt source               destination         
DROP       all      anywhere             ff00::/8            
           all      anywhere             anywhere             /* PVESIG:8Krk5Nh8pDZOOc7BQAbM6PlyFSU */

Chain PVEFW-FORWARD (1 references)
target     prot opt source               destination         
DROP       all      anywhere             anywhere             ctstate INVALID
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED
PVEFW-FWBR-IN  all      anywhere             anywhere             PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
PVEFW-FWBR-OUT  all      anywhere             anywhere             PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
           all      anywhere             anywhere             /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */

Chain PVEFW-FWBR-IN (1 references)
target     prot opt source               destination         
veth200i0-IN  all      anywhere             anywhere             PHYSDEV match --physdev-out veth200i0 --physdev-is-bridged
           all      anywhere             anywhere             /* PVESIG:Csb4zf4mBlzJaISre+lcQiuR53Q */

Chain PVEFW-FWBR-OUT (1 references)
target     prot opt source               destination         
veth200i0-OUT  all      anywhere             anywhere             PHYSDEV match --physdev-in veth200i0 --physdev-is-bridged
           all      anywhere             anywhere             /* PVESIG:ApqYC8Mr6OHSTxW5msAxdGTqxrY */

Chain PVEFW-HOST-IN (1 references)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere            
DROP       all      anywhere             anywhere             ctstate INVALID
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED
RETURN     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-solicitation
RETURN     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-advertisement
RETURN     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-solicitation
RETURN     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-advertisement
RETURN     igmp     anywhere             anywhere            
RETURN     tcp      anywhere             anywhere             match-set PVEFW-0-management-v6 src tcp dpt:8006
RETURN     tcp      anywhere             anywhere             match-set PVEFW-0-management-v6 src tcp dpts:5900:5999
RETURN     tcp      anywhere             anywhere             match-set PVEFW-0-management-v6 src tcp dpt:3128
RETURN     tcp      anywhere             anywhere             match-set PVEFW-0-management-v6 src tcp dpt:ssh
RETURN     tcp      anywhere             anywhere             match-set PVEFW-0-management-v6 src tcp dpts:60000:60050
PVEFW-Drop  all      anywhere             anywhere            
NFLOG      all      anywhere             anywhere             limit: avg 1/sec burst 5 nflog-prefix  ":0:7:PVEFW-HOST-IN: policy DROP: "
DROP       all      anywhere             anywhere            
           all      anywhere             anywhere             /* PVESIG:kZxveMKGMIYzWJCyWe/S0Qn4yOU */

Chain PVEFW-HOST-OUT (1 references)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere            
DROP       all      anywhere             anywhere             ctstate INVALID
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED
RETURN     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-solicitation
RETURN     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-solicitation
RETURN     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-advertisement
RETURN     igmp     anywhere             anywhere            
RETURN     all      anywhere             anywhere            
           all      anywhere             anywhere             /* PVESIG:br2bPbA9ZjuHOMNhV8tfLRw1mAs */

Chain PVEFW-INPUT (1 references)
target     prot opt source               destination         
PVEFW-HOST-IN  all      anywhere             anywhere            
           all      anywhere             anywhere             /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */

Chain PVEFW-OUTPUT (1 references)
target     prot opt source               destination         
PVEFW-HOST-OUT  all      anywhere             anywhere            
           all      anywhere             anywhere             /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */

Chain PVEFW-Reject (1 references)
target     prot opt source               destination         
PVEFW-reject  tcp      anywhere             anywhere             tcp dpt:whois
PVEFW-DropBroadcast  all      anywhere             anywhere            
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp destination-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp time-exceeded
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp packet-too-big
DROP       all      anywhere             anywhere             ctstate INVALID
PVEFW-reject  udp      anywhere             anywhere             multiport dports 135,445
PVEFW-reject  udp      anywhere             anywhere             udp dpts:netbios-ns:139
PVEFW-reject  udp      anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
PVEFW-reject  tcp      anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds
DROP       udp      anywhere             anywhere             udp dpt:1900
DROP       tcp      anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp      anywhere             anywhere             udp spt:domain
           all      anywhere             anywhere             /* PVESIG:aL1nrxJk/u3XmTb3Am2eaM/3yCM */

Chain PVEFW-SET-ACCEPT-MARK (5 references)
target     prot opt source               destination         
MARK       all      anywhere             anywhere             MARK or 0x80000000
           all      anywhere             anywhere             /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */

Chain PVEFW-logflags (5 references)
target     prot opt source               destination         
NFLOG      all      anywhere             anywhere             limit: avg 1/sec burst 5 nflog-prefix  ":0:6:PVEFW-logflags: DROP: "
DROP       all      anywhere             anywhere            
           all      anywhere             anywhere             /* PVESIG:3UjKviTKl2xDmoLvcZjFtc0vR7k */

Chain PVEFW-reject (7 references)
target     prot opt source               destination         
DROP       ipv6-icmp    anywhere             anywhere            
REJECT     tcp      anywhere             anywhere             reject-with tcp-reset
REJECT     udp      anywhere             anywhere             reject-with icmp6-port-unreachable
REJECT     all      anywhere             anywhere             reject-with icmp6-adm-prohibited
           all      anywhere             anywhere             /* PVESIG:etEECUYcgUdzuuO+LDP83pu0S8Y */

Chain PVEFW-tcpflags (0 references)
target     prot opt source               destination         
PVEFW-logflags  tcp      anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PVEFW-logflags  tcp      anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PVEFW-logflags  tcp      anywhere             anywhere            [goto]  tcp flags:SYN,RST/SYN,RST
PVEFW-logflags  tcp      anywhere             anywhere            [goto]  tcp flags:FIN,SYN/FIN,SYN
PVEFW-logflags  tcp      anywhere             anywhere            [goto]  tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
           all      anywhere             anywhere             /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */

Chain veth200i0-IN (1 references)
target     prot opt source               destination         
ACCEPT     udp      anywhere             anywhere             udp spt:dhcpv6-server dpt:dhcpv6-client
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-advertisement
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-advertisement
PVEFW-Reject  all      anywhere             anywhere            
NFLOG      all      anywhere             anywhere             limit: avg 1/sec burst 5 nflog-prefix  ":200:7:veth200i0-IN: policy REJECT: "
PVEFW-reject  all      anywhere             anywhere            [goto] 
           all      anywhere             anywhere             /* PVESIG:Daw5MYKaFmasQhQ8w7kH/w2iFhA */

Chain veth200i0-OUT (1 references)
target     prot opt source               destination         
PVEFW-SET-ACCEPT-MARK  udp      anywhere             anywhere            [goto]  udp spt:dhcpv6-client dpt:dhcpv6-server
DROP       all      anywhere             anywhere             MAC !76:a9:67:3f:bb:bc
DROP       ipv6-icmp    anywhere             anywhere             ipv6-icmp router-advertisement
MARK       all      anywhere             anywhere             MARK and 0x7fffffff
PVEFW-SET-ACCEPT-MARK  ipv6-icmp    anywhere             anywhere            [goto]  ipv6-icmp router-solicitation
PVEFW-SET-ACCEPT-MARK  ipv6-icmp    anywhere             anywhere            [goto]  ipv6-icmp neighbour-solicitation
PVEFW-SET-ACCEPT-MARK  ipv6-icmp    anywhere             anywhere            [goto]  ipv6-icmp neighbour-advertisement
PVEFW-SET-ACCEPT-MARK  all      anywhere             anywhere            [goto] 
           all      anywhere             anywhere             /* PVESIG:ZSFeJya544ZFI3cS/sllg4SPSsM */
ip6tables-save
# ip6tables-save 
# Generated by ip6tables-save v1.8.7 on Mon Oct 23 15:45:50 2023
*raw
:PREROUTING ACCEPT [620551:86297776]
:OUTPUT ACCEPT [1988:115292]
COMMIT
# Completed on Mon Oct 23 15:45:50 2023
# Generated by ip6tables-save v1.8.7 on Mon Oct 23 15:45:50 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:56]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-tcpflags - [0:0]
:veth200i0-IN - [0:0]
:veth200i0-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A PVEFW-Drop -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A PVEFW-Drop -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:Jb79Uw7z1vZglIcV7QXA5uY/nbk"
-A PVEFW-DropBroadcast -d ff00::/8 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:8Krk5Nh8pDZOOc7BQAbM6PlyFSU"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m physdev --physdev-out veth200i0 --physdev-is-bridged -j veth200i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:Csb4zf4mBlzJaISre+lcQiuR53Q"
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth200i0 --physdev-is-bridged -j veth200i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:ApqYC8Mr6OHSTxW5msAxdGTqxrY"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j RETURN
-A PVEFW-HOST-IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j RETURN
-A PVEFW-HOST-IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
-A PVEFW-HOST-IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v6 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v6 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v6 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v6 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v6 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:7:PVEFW-HOST-IN: policy DROP: "
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:kZxveMKGMIYzWJCyWe/S0Qn4yOU"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j RETURN
-A PVEFW-HOST-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN
-A PVEFW-HOST-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:br2bPbA9ZjuHOMNhV8tfLRw1mAs"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A PVEFW-Reject -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A PVEFW-Reject -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:aL1nrxJk/u3XmTb3Am2eaM/3yCM"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:PVEFW-logflags: DROP: "
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:3UjKviTKl2xDmoLvcZjFtc0vR7k"
-A PVEFW-reject -p ipv6-icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp6-port-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp6-adm-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:etEECUYcgUdzuuO+LDP83pu0S8Y"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A veth200i0-IN -p udp -m udp --sport 547 --dport 546 -j ACCEPT
-A veth200i0-IN -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A veth200i0-IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A veth200i0-IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A veth200i0-IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A veth200i0-IN -j PVEFW-Reject
-A veth200i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":200:7:veth200i0-IN: policy REJECT: "
-A veth200i0-IN -g PVEFW-reject
-A veth200i0-IN -m comment --comment "PVESIG:Daw5MYKaFmasQhQ8w7kH/w2iFhA"
-A veth200i0-OUT -p udp -m udp --sport 546 --dport 547 -g PVEFW-SET-ACCEPT-MARK
-A veth200i0-OUT -m mac ! --mac-source 76:a9:67:3f:bb:bc -j DROP
-A veth200i0-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
-A veth200i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth200i0-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -g PVEFW-SET-ACCEPT-MARK
-A veth200i0-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -g PVEFW-SET-ACCEPT-MARK
-A veth200i0-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -g PVEFW-SET-ACCEPT-MARK
-A veth200i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth200i0-OUT -m comment --comment "PVESIG:ZSFeJya544ZFI3cS/sllg4SPSsM"
COMMIT
# Completed on Mon Oct 23 15:45:50 2023

We have not found any evidence linking this problem to OpenWrt.
You can try to take a closer look at image deployment, specifically this part:

1 Like

Thank you for the information. I did not see anything very helpful there unfortunately, although I did try $ lastb -ad to see their hostnames (if any) - I doubt it's helpful at all but:

root     ssh:notty    Fri Oct 13 04:18 - 04:18  (00:00)     static-200-94-113-90.alestra.net.mx
root     ssh:notty    Fri Oct 13 04:18 - 04:18  (00:00)     static-200-94-113-90.alestra.net.mx
root     ssh:notty    Fri Oct 13 04:18 - 04:18  (00:00)     static-200-94-113-90.alestra.net.mx
pi       ssh:notty    Fri Oct 13 04:10 - 04:10  (00:00)     59.31.115.173
pi       ssh:notty    Fri Oct 13 04:10 - 04:10  (00:00)     59.31.115.173
pi       ssh:notty    Fri Oct 13 04:10 - 04:10  (00:00)     59.31.115.173
pi       ssh:notty    Fri Oct 13 04:10 - 04:10  (00:00)     59.31.115.173

I will check the Docker logs again and really make sure I'm not just missing something.

Is it possible that I have a malicious container that is making requests to these IPs, allowing them to somehow get through the firewall as 'established' traffic? Just seems strange...

1 Like

In theory, a compromised container/VM can build a reverse tunnel effectively breaching your firewall to accept outside connections.
In practice however, there's a higher chance the issue is caused by /var/log/btmp included in the image and containing the login failure messages.

1 Like

I'm sorry for the confusion, the lastb command was ran on the host OS (a TurnKey Debian 11 LXC) - not within any of the Docker containers that run on it. So the connection seems to have been made directly to Debian, likely not through the containers. I may be wrong, there is still a chance they got passed in from a rogue container for some reason. Not sure.

Here's another way an attacker can use to bypass the firewall:

Note that OpenWrt 21.02 is no longer supported and may include open vulnerabilities.

1 Like

I'll take a look at that right now, thank you very much!

As for the firmware version, I have thought about updating, but I do have reservations only because I have just the one router - although I could back up configs and everything, bricking the device would cause massive problems. Not sure how likely that is to happen though.

Also, I'm fairly sure the switch from iptables to nftables caused issues for some - can't remember why, I'll have to research again and make sure I'm remembering this right. Other than that though, I am open to updating for sure. For reference, the router is a TP-Link Archer A7 v5 (ath79-generic) - I'll update with any new information soon.

1 Like

This one shouldn't have any device inherent issues with running modern OpenWrt (e.g. 23.05.0 or main snapshots).

2 Likes