[SOLVED] How to do DNAT with SDN custom rule on Single host?

B

be-team

Renowned Member
Jul 11, 2013
6
0
66
On a root server with one NIC I set up Proxmox VE 8.1.4 with two SDN simple zones, so I have three bridges configured: vmbr0 connected to eno1 with public IP, dmznet with SNAT and subnet 192.168.100.0/24 for nginx reverse proxy. Third bridge is labnet 192.168.200.0/24 for the application containers. To set up direct ssh communication to the lab containers from the developers machines I added a port forwarding rule on the proxmost host like so:

Bash: 
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 37122 -j DNAT --to 192.168.200.10:22

Is there a better way to achieve this using a SDN custom rule, and if so, where should I place that - on datacenter level, host level, or container level?
 
Thanks for your quick response, spirit! Before the advent of nftables I was a big fan of shorewall. Do you (or anybody else) happen to know whether DNAT port forwarding is on the roadmap for proxmox SDN?
 
I think DNAT will be the last thing.

we need to finish dhcp first, then clean SNAT. (currently it's done in /etc/network/interfaces, it should be done in a daemon , like pve-firewall)

Then DNAT. (and for dnat , I don't known how to manage it with live migration/conntrack/...). with a single server it's pretty simple)
 
So I will try and put my supplementary iptables rules into a systemd unit. As I am not too experienced with those: Should I go for "require" or "after", and which target would be a good predecessor? Some searching pointed me to systemd-analyze. If I read its output correctly, pvedaemon.service or pvestatd.service seem like suitable candidates. On my single server, it seems acceptable to me to neglect live migration - at least for a first pragmatic solution.

P.S.: With openvz, I remember something like a <VMID>.mount script running when a container is started. Would that be a better place, or is it now done via "hookscript" for lxc containers?
 
Last edited:
You must log in or register to reply here.
Top Bottom