I have a problem to create iptables rule to forward port in some vm machine, situation:
route -> dmz on proxmox host -> iptable drop input (an open only port needed) and forward some port to vm machine.
i have no problem to forward any type of port, but 80 an 443 (used from proxmox) in the problem if i forward, the rule not work.
it possible change default port of proxmox gui? 80 an 443?
how work 80-443 promox redirect? is proxmox than block port 80?
to access on webgui i can ssh tunneling on the PVE host
my firewall sample: (some rule are cut)
#!/bin/sh
#
#
#ssh -L 12345:remotesite.com:80 utente@serversshremoto.com
#ssh -L 443:10.2.2.100:443 10.2.2.100 accesso per webgui
#IP eth0/vmbr0 reale
IP_REALE=192.168.1.200 <- real machine
IP_VMSMARTINO=192.168.1.201
IP_VMLAMP=10.2.2.202
echo "Start Firewall locale..."
# TUNING KERNEL
# echo 1 > /proc/sys/net/ipv4/ip_forward
# echo 8192 > /proc/sys/net/nf_conntrack_max #16384
# PULIZIA TABELLE
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
# POLICY TABELLE
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# NAT macchine virtuali su vmbr1
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o vmbr0 -j MASQUERADE
# regole reale
iptables -A INPUT -p all -m state --state established,related -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
#iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 5022 -j ACCEPT
iptables -A INPUT -p tcp --dport 83 -j ACCEPT #redirect ssh amministrazione
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT #redirect locale ssh amministrazione
#input servizi
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT #redirect locale ssh amministrazione e webserver
iptables -A INPUT -p tcp --dport 11022 -j ACCEPT
iptables -A INPUT -p tcp --dport 12022 -j ACCEPT
iptables -A INPUT -p tcp --dport 21022 -j ACCEPT
iptables -A INPUT -p tcp --dport 22022 -j ACCEPT
iptables -A INPUT -p tcp --dport 23022 -j ACCEPT
iptables -A INPUT -p udp --dport 23194 -j ACCEPT
iptables -A INPUT -p tcp --dport 23194 -j ACCEPT
## SMARTINO
#201
# Forward zimbra
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 11022 -j DNAT --to-destination $IP_VMSMARTINO:22
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 81 -j DNAT --to-destination $IP_VMSMARTINO:80
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 7071 -j DNAT --to-destination $IP_VMSMARTINO:7071
# Ovpn smartino-agricoop sedi
iptables -t nat -A PREROUTING --dst $IP_REALE -p udp --dport 11194 -j DNAT --to-destination $IP_VMSMARTINO:1194
## ASSO
#202
# Forward vmlamp virtualhost
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 8080 -j DNAT --to-destination $IP_VMLAMP:80
-> not work #iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 80 -j DNAT --to-destination $IP_VMLAMP:80
-> not work #iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 443 -j DNAT --to-destination $IP_VMLAMP:443
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 22022 -j DNAT --to-destination $IP_VMLAMP:22
help please
route -> dmz on proxmox host -> iptable drop input (an open only port needed) and forward some port to vm machine.
i have no problem to forward any type of port, but 80 an 443 (used from proxmox) in the problem if i forward, the rule not work.
it possible change default port of proxmox gui? 80 an 443?
how work 80-443 promox redirect? is proxmox than block port 80?
to access on webgui i can ssh tunneling on the PVE host
my firewall sample: (some rule are cut)
#!/bin/sh
#
#
#ssh -L 12345:remotesite.com:80 utente@serversshremoto.com
#ssh -L 443:10.2.2.100:443 10.2.2.100 accesso per webgui
#IP eth0/vmbr0 reale
IP_REALE=192.168.1.200 <- real machine
IP_VMSMARTINO=192.168.1.201
IP_VMLAMP=10.2.2.202
echo "Start Firewall locale..."
# TUNING KERNEL
# echo 1 > /proc/sys/net/ipv4/ip_forward
# echo 8192 > /proc/sys/net/nf_conntrack_max #16384
# PULIZIA TABELLE
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
# POLICY TABELLE
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# NAT macchine virtuali su vmbr1
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o vmbr0 -j MASQUERADE
# regole reale
iptables -A INPUT -p all -m state --state established,related -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
#iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 5022 -j ACCEPT
iptables -A INPUT -p tcp --dport 83 -j ACCEPT #redirect ssh amministrazione
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT #redirect locale ssh amministrazione
#input servizi
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT #redirect locale ssh amministrazione e webserver
iptables -A INPUT -p tcp --dport 11022 -j ACCEPT
iptables -A INPUT -p tcp --dport 12022 -j ACCEPT
iptables -A INPUT -p tcp --dport 21022 -j ACCEPT
iptables -A INPUT -p tcp --dport 22022 -j ACCEPT
iptables -A INPUT -p tcp --dport 23022 -j ACCEPT
iptables -A INPUT -p udp --dport 23194 -j ACCEPT
iptables -A INPUT -p tcp --dport 23194 -j ACCEPT
## SMARTINO
#201
# Forward zimbra
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 11022 -j DNAT --to-destination $IP_VMSMARTINO:22
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 81 -j DNAT --to-destination $IP_VMSMARTINO:80
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 7071 -j DNAT --to-destination $IP_VMSMARTINO:7071
# Ovpn smartino-agricoop sedi
iptables -t nat -A PREROUTING --dst $IP_REALE -p udp --dport 11194 -j DNAT --to-destination $IP_VMSMARTINO:1194
## ASSO
#202
# Forward vmlamp virtualhost
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 8080 -j DNAT --to-destination $IP_VMLAMP:80
-> not work #iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 80 -j DNAT --to-destination $IP_VMLAMP:80
-> not work #iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 443 -j DNAT --to-destination $IP_VMLAMP:443
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 22022 -j DNAT --to-destination $IP_VMLAMP:22
help please