General Setup for MMO and Firewall

Hello guys, its me again.
As im progress with the setup, new doubts are comming.
First of all, im gonna tell you about my setup and why I rent a dedicated server.
I have 2 servers of MMORPG, and, usually we (the ppl who has this kind of servers) rent vps, problem is most of the ppl who rent related to this game don't have a clue about nothing, and oversell resources af. So, since my 2 vps cost around 35USD monthly, I decided to take the leap and move to soyoustart.
My goal is to setup 4 vps with Windows Server (2 operationals and 2 for test).
This is the specs of my server: SYS-LE-2 Server - Intel Xeon E5-1620v2 - 32GB DDR3 ECC 1600MHz - 2x 800GB SSD SATA Soft RAID and it has Proxmox VE 6.2.

That being said, I have a couple of general questions:
1. OVH Monitor isn't enabled for SYS right?
2. Do you recommend to have RAID setup for this use? Currently I have one of the SSD unmounted.
3. What its the best configuration for Windows regarding VM options. Screen:

And about Firewall (the same topic since setup is relevant):
1. Is there a file config to see all the rules that has been applied? Im aware of iptables -S
2. Do you really see crucial to add a rule for SSH and GUI access only from 1 ip? Im from Argentina, and all the companies here use dynamic ip, or its enough with anti brute rules?
3. All the rules I apply to main server in SSH would be apply to my VM's if network firewall is enabled?
4. Need to limit connection ammount per IP and per time, I read this tutorial (hope isn't againts the rules share the link) https://javapipe.com/blog/iptables-ddos-protection/ with a bit of tweaks could be exactly what I need, only if I can add a ban to the ip that exceed the limite, for 30mins lets said.
5. Is there a way to add a whitelist IP for certain rules only? Like for example, I wanna limit connections with the rules from the link above, to 15 connections over 30sec.

Think that would be all. Thanks to all for reading, sorry for all the questions and the bad english ^^

Comments

  • ehabehab Content Writer
    edited July 2020

    1- check /etc/pve/firewall/cluster.fw and /etc/pve/nodes/$HOSTNAME/host.fw
    2- its safer to block all ip and only accept certain ips to certain ports.
    3- proxmox firewall provides rules to add alias, ipset, group and can easily configure to server and vm. You will need to seperate/forward ports in the interfaces file.
    4- again this can be done with iptables and i think there is a interface network limit options.
    5- check how promox firewall works first. ( spend effort and time in this area because its worth it )

    have a look at soyoustart cp firewall maybe you can start from there.

    good luck or $50 for such a configuration :)

    Thanked by (1)kind
    1. OVH Monitor isn't enabled for SYS right?

    You can set monitoring to enabled or disabled in the SYS control panel. If you reboot from inside the server with monitoring enabled, the monitoring sometimes will catch it. Then SYS will schedule a technician to do hardware check and reboot the server again.

    1. Do you recommend to have RAID setup for this use? Currently I have one of the SSD unmounted.

    With RAID you get a free backup. Which might even work. :) Without RAID the second disk is doing nothing. Unless you have a use for the second disk, why not enable the RAID? Well, there was a spectacular mdadm bug a few years back. Proxmox recommends ZFS instead of RAID, but the OVH installer does not support ZFS in Proxmox VE 6.

    1. What its the best configuration for Windows regarding VM options. Screen:

    Sorry. I don't know about Windows.

    1. Is there a file config to see all the rules that has been applied? Im aware of iptables -S

    Yes. The Proxmox web GUI interacts with configuration files in /etc/pve/firewall and also /etc/pve/nodes/$HOSTNAME/host.fw. Be careful. It's easy to do it right, but it's also easy to lock yourself out. Connect from two different terminal windows on your client and leave one connection open when you change the firewall. The changes apply to new connections only.

    2- its safer to block all ip and only accept certain ips to certain ports.

    Yes.

    1. All the rules I apply to main server in SSH would be apply to my VM's if network firewall is enabled?

    In Proxmox there are four, yes, four levels of firewalls: Datacenter, Node, outside VPS, and inside VPS. These interact in various ways and everything has to be set. Warning: the default firewall configuration is to block everything except ports 8006 and 22 from the local network. So the default configuration blocks everything from the interent.

    1. Need to limit connection ammount per IP and per time, I read this tutorial (hope isn't againts the rules share the link) https://javapipe.com/blog/iptables-ddos-protection/ with a bit of tweaks could be exactly what I need, only if I can add a ban to the ip that exceed the limite, for 30mins lets said.

    Don't know. Sorry.

    1. Is there a way to add a whitelist allowlist IP for certain rules only? Like for example, I wanna limit connections with the rules from the link above, to 15 connections over 30sec.

    Don't know. Sorry.

    Think that would be all. Thanks to all for reading, sorry for all the questions and the bad english ^^

    Your English is terrific! :) And getting better every day! :)

    Hope this helps! Good luck! Have fun!

    Thanked by (1)kind

    Tom. 穆坦然. Not Oles. Happy New York City guy visiting Mexico! How is your 文言文?
    The MetalVPS.com website runs very speedily on MicroLXC.net! Thanks to @Neoon!

  • Thank you all for the replies. I've been reading a bit. Seems that I can't control VM Windows traffic through host iptables, have to look for other alternative. Also, didn't found much info about something similar to connlimit on proxmox fw, all the other things (block ports, etc, its already done).
    Maybe my problem is network configuration.

  • @kind said: Seems that I can't control VM Windows traffic through host iptables

    Why not? :)

    I thought you could. But on Proxmox I have worked mostly with LXC instead of KVM and not at all with Windows. So maybe I am wrong. If I am wrong, it would be great if somebody would please tell me why. Thanks! :)

    Tom. 穆坦然. Not Oles. Happy New York City guy visiting Mexico! How is your 文言文?
    The MetalVPS.com website runs very speedily on MicroLXC.net! Thanks to @Neoon!

  • edited July 2020

    @Not_Oles said:

    @kind said: Seems that I can't control VM Windows traffic through host iptables

    Why not? :)

    I thought you could. But on Proxmox I have worked mostly with LXC instead of KVM and not at all with Windows. So maybe I am wrong. If I am wrong, it would be great if somebody would please tell me why. Thanks! :)

    You were not wrong, I was wrong ^^. Like you already know, Im new at this. I found that its possible to add rules to vm's after saving iptables and review them. Now im facing issues with fail2ban filter for banning the detected IP's for a while.
    What I do to apply the rules was creating a group on firewall gui, assign to all my VM's running Windows, then save iptables to a file and add my iptables to the group:

    -A GROUP-global-IN -p tcp -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j LOG --log-prefix "iptables: DOS"
    

    Only bad thing is that custom rules didn't show up at GUI, and if you save something in GUI, this rule would be deleted. Rule is working ok, if anyone can help me with fail2ban filter would be appreciated.

    Log:
    Jul 30 12:47:45 hyperbole kernel: [252136.066321] iptables DOS: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=fwln101i0 PHYSOUT=tap101i0 MAC=02:00:00:b1:7f:51:00:ff:ff:ff:ff:fe:08:00 SRC=176.32.238.43 DST=128.59.253.15 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=23204 DF PROTO=TCP SPT=23363 DPT=3306 WINDOW=8192 RES=0x00 SYN URGP=0

  • Maybe remove your IP address?

  • @kind

    I do not understand everything you are saying. But I think I understand that some of the rules you add do not appear in the GUI.

    So maybe this might help: Proxmox has the firewall set up so that the rules in the GUI match the rules in certain files in /etc/pve.

    If you change these files, then the GUI changes. If you change the rules in the GUI, then these files change.

    Maybe look at the files in this directory: /etc/pve/firewall and also this file: /etc/pve/nodes/$NODE_NAME/host.fw

    Thanked by (1)kind

    Tom. 穆坦然. Not Oles. Happy New York City guy visiting Mexico! How is your 文言文?
    The MetalVPS.com website runs very speedily on MicroLXC.net! Thanks to @Neoon!

  • @Not_Oles Thanks for explaining this. Now I know why the other rules dissapear when I change them directly through iptables.

    @tetech those are not my real ips, I change them.

    Thanked by (1)Not_Oles
  • @kind said: @Not_Oles Thanks for explaining this. Now I know why the other rules dissapear when I change them directly through iptables.

    Excellent!

    Tom. 穆坦然. Not Oles. Happy New York City guy visiting Mexico! How is your 文言文?
    The MetalVPS.com website runs very speedily on MicroLXC.net! Thanks to @Neoon!

Sign In or Register to comment.

This Site is currently in maintenance mode.
Please check back here later.

→ Site Settings