[SOLVED] Linux Bridge on a public address

[DANILO MONTAGNA]

Now another question, how can I make sure that some ports are listened to by a VM, another port on another VM, etc...

The setup we did was to make POSTROUTING NAT, for PREROUTING NAT, just add the necessary rules below the POSTROUTING sector that you already have on your network setup.. probably you will need to prerouting to the correct inbound guest tap interface, each guest has a specific TAP interface inside the proxmox node for networking bridge... as this is a more complicated setup that I never used before, maybe you need to test it a little bit deeper!

my advice is to use an external FIREWALL to control this kind of NAT rules... but it is up to you!!!

 

[MarOwN]

Did I make a mistake? The VM does not have access to the Internet https://prnt.sc/pza4dm .... And do you have a doc on PREROUTING ?
I have find this for PREROUTING :

Change the destination address of web traffic to 5.6.7.8 :

iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \
        -j DNAT --to 5.6.7.8:80

 

[DANILO MONTAGNA]

The VM does not have access to the Internet https://prnt.sc/pza4dm

can you ping 10.0.0.1 from inside guest VM?
did you set the network guest config to the correctly bridge vmbr2?

 

[MarOwN]

Yes I can ping 10.0.0.1
Here is the hardware configuration of the virtual machine: https://prnt.sc/pzauk4

 

[DANILO MONTAGNA]

what shows the command "iptables -t nat -nL -v" on proxmox node?

 

[MarOwN]

iptables -t nat -nL -v

Chain PREROUTING (policy ACCEPT 157M packets, 210G bytes)
pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 17888 packets, 1174K bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 630 packets, 42748 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 630 packets, 42748 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      vmbr0   10.0.0.0/24          0.0.0.0/0

 

[DANILO MONTAGNA]

pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * vmbr0 10.0.0.0/24 0.0.0.0/0

My understanding is that this line should do the JOB regarding the INTERNET access from guests...

maybe the proxmox node is not allowing forwarding traffic or the routing is not enabled on sysctl.conf

try this:

on /etc/network/interfaces, add these lines below the other POSTROUTING rules..

post-up iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
post-down iptables -D FORWARD -s 10.0.0.0/24 -j ACCEPT

also check if the routing is enabled on proxmox node:

cat /proc/sys/net/ipv4/ip_forward

if this files shows '0' the routing is not enabled.. soh make it turn '1'..

echo 1 > /proc/sys/net/ipv4/ip_forward

 

[MarOwN]

Indeed the file /proc/sys/net/ipv4/ip_forward was at 0... I added the two additional lines to the /etc/network/interfaces file. I also restarted the server to correctly apply all of them. Unfortunately I can't test right away, I'll be back to you in an hour

 

[MarOwN]

Unfortunately the VM still does not have access to the internet, but can still ping 10.0.0.1

https://prnt.sc/pzombg

 

[DANILO MONTAGNA]

what happens if you traceroute to 8.8.8.8?

 

[MarOwN]

https://prnt.sc/pzp9g2

 

[MarOwN]

On however I just noticed that /proc/sys/net/ipv4/ip_forward has gone back to 0 after the reboot....
After changing the value to 1 I can ping 8.8.8.8.8.8

 

[tom]

https://prnt.sc/pzp9g2

Please do not post images of text messages.

Much better to read: post the text!

 

[DANILO MONTAGNA]

On however I just noticed that /proc/sys/net/ipv4/ip_forward has gone back to 0 after the reboot

yes, it will always happen!! you have to fix it on /etc/sysctl.conf

the file /etc/sysctl.conf on proxmox already have a sector explaining this:

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

 

[MarOwN]

Ok sorry tom

 

[DANILO MONTAGNA]

After changing the value to 1 I can ping 8.8.8.8

Glad to know that it solved your problem!!!

 

[MarOwN]

Ok! for the file /etc/sysctl.conf it's done! Now I have access to the internet on my VMs thanks to you! Thank you!!!

Now if you don't mind, do you want to spend a few minutes on port forwarding for incoming connections on VMs?
I found something on post #22 but maybe you have a cleaner and more permanent solution in the /etc/network/interfaces file to offer me?

 

[DANILO MONTAGNA]

maybe you have a cleaner and more permanent solution in the /etc/network/interfaces file to offer me?

Just spend some time to understand how iptables works inside a linux box!!! You will need also some networking knowledge!!

As an example, try this:

iptables -t nat -A PREROUTING -p tcp --dport 80 -i vmbr0 -d 185.246.87.214 -j DNAT --to 10.0.0.15:80
iptables -A FORWARD -p tcp --dport 80 -i vmbr0 -d 10.0.0.15 -j ACCEPT

insert this command directly on proxmox shell/ssh and test the connection from outside... if it works, put the lines inside the /etc/network/interfaces to load at boot.

 

[MarOwN]

I tried to test with Windows remote desktop control ports and everything works!

Thank you for your precious help Danilo Montagna ! I think this subject is closed

 

[MarOwN]

For your information, here is my final configuration with an example of port forwarding to one of my VMs. I hope everything will be fine. Thank you again for your help

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

# interface iface - public address interfae bridge
auto vmbr0
iface vmbr0 inet static
address 185.246.xx.xxx
netmask 255.255.255.0
gateway 185.246.xx.x
broadcast 185.246.xx.xxx
network 185.246.xx.x
bridge_ports eth0
bridge_stp off
bridge_fd 0

# internal iface - used to bridge VMs with invalid address with NAT
auto vmbr2
iface vmbr2 inet static
address 10.0.0.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up iptables -A POSTROUTING -t nat -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-up iptables -A POSTROUTING -t mangle -p udp --dport bootpc -j CHECKSUM --checksum-fill
post-up iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
post-up iptables -t nat -A PREROUTING -p tcp --dport 23 -i vmbr0 -d 185.246.xx.xxx -j DNAT --to 10.0.0.11:22
post-up iptables -A FORWARD -p tcp --dport 23 -i vmbr0 -d 10.0.0.11 -j ACCEPT
post-down iptables -t filter -F
post-down iptables -t nat -F
post-down iptables -t mangle -F