#!/bin/bash set -euo pipefail # Load IP configuration SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)" source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true # Fix Proxmox Firewall Access - Allow Default Network (192.168.0.0/24) # Usage: ./scripts/proxmox/fix-firewall-access.sh set -e PROXMOX_HOSTS=( "${PROXMOX_HOST_ML110:-192.168.11.10}:ml110" "${PROXMOX_HOST_R630_01:-192.168.11.11}:r630-01" "${PROXMOX_HOST_R630_02:-192.168.11.12}:r630-02" ) DEFAULT_NETWORK="192.168.0.0/24" CURRENT_NETWORK="${NETWORK_192_168_11_0:-192.168.11.0}/24" echo "๐Ÿ”ง Proxmox Firewall Configuration Script" echo "" echo "This script will configure firewall rules on all Proxmox hosts" echo "to allow access from Default network (192.168.0.0/24)" echo "" # Function to check if host is reachable check_host() { local host=$1 if ping -c 1 -W 2 $host >/dev/null 2>&1; then return 0 else return 1 fi } # Function to check SSH access check_ssh() { local host=$1 if ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@$host "echo 'SSH OK'" >/dev/null 2>&1; then return 0 else return 1 fi } # Function to get firewall status get_firewall_status() { local host=$1 ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@$host \ "pve-firewall status 2>/dev/null || echo 'disabled'" 2>/dev/null } # Function to enable firewall enable_firewall() { local host=$1 ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@$host \ "pve-firewall compile 2>/dev/null && echo 'enabled' || echo 'error'" 2>/dev/null } # Function to check if rule exists rule_exists() { local host=$1 local network=$2 ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@$host \ "grep -q '$network' /etc/pve/firewall/cluster.fw 2>/dev/null || \ grep -q '$network' /etc/pve/firewall/host.fw 2>/dev/null" 2>/dev/null } # Function to add firewall rule add_firewall_rule() { local host=$1 local hostname=$2 echo " Configuring firewall on $hostname ($host)..." # Check if host firewall file exists, create if not ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@$host \ "test -f /etc/pve/firewall/host.fw || echo '[OPTIONS] enable: 1 [RULES]' > /etc/pve/firewall/host.fw" 2>/dev/null # Check if rule already exists if rule_exists $host $DEFAULT_NETWORK; then echo " โœ… Rule for $DEFAULT_NETWORK already exists" else echo " โž• Adding rule to allow $DEFAULT_NETWORK..." # Add rule to host firewall ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@$host \ "cat >> /etc/pve/firewall/host.fw << 'EOF' # Allow Default Network (192.168.0.0/24) IN ACCEPT -source $DEFAULT_NETWORK -log nocomment EOF " 2>/dev/null if [ $? -eq 0 ]; then echo " โœ… Rule added successfully" else echo " โŒ Failed to add rule" return 1 fi fi # Enable firewall if not already enabled local status=$(get_firewall_status $host) if [[ "$status" == *"disabled"* ]] || [[ "$status" == "" ]]; then echo " ๐Ÿ”„ Enabling firewall..." enable_firewall $host fi # Compile firewall rules echo " ๐Ÿ”„ Compiling firewall rules..." ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@$host \ "pve-firewall compile 2>/dev/null && pve-firewall restart 2>/dev/null || true" 2>/dev/null echo " โœ… Firewall configured on $hostname" } # Main execution echo "๐Ÿ“‹ Processing Proxmox hosts..." echo "" for host_entry in "${PROXMOX_HOSTS[@]}"; do IFS=':' read -r ip hostname <<< "$host_entry" echo "๐Ÿ” Checking $hostname ($ip)..." # Check if host is reachable if ! check_host $ip; then echo " โŒ Host $ip is not reachable (ping failed)" echo "" continue fi # Check SSH access if ! check_ssh $ip; then echo " โš ๏ธ SSH access failed - may need to configure SSH keys" echo " You can manually configure firewall via web UI:" echo " https://$ip:8006 โ†’ Datacenter โ†’ Firewall โ†’ Host Firewall" echo "" continue fi # Configure firewall add_firewall_rule $ip $hostname echo "" done echo "โœ… Firewall configuration complete!" echo "" echo "๐Ÿ“‹ Summary:" echo " All accessible Proxmox hosts have been configured to allow" echo " traffic from Default network (192.168.0.0/24)" echo "" echo "๐Ÿงช Test connectivity:" echo " # From Default network (192.168.0.x)" echo " ping ${PROXMOX_HOST_ML110:-192.168.11.10} # ml110" echo " ping ${PROXMOX_HOST_R630_01:-192.168.11.11} # r630-01" echo " ping ${PROXMOX_HOST_R630_02:-192.168.11.12} # r630-02" echo "" echo " # Web UI access" echo " https://${PROXMOX_HOST_ML110}:8006 # ml110" echo " https://${PROXMOX_HOST_R630_01}:8006 # r630-01" echo " https://${PROXMOX_HOST_R630_02}:8006 # r630-02"