NAT no outgoing connection

  • Thread starter Thread starter das7002
  • Start date Start date
D

das7002

Guest
I've spent days trying to figure this out. I can't for the life of me figure out why exactly this is happening...

If I create a VM with NAT networking it'll boot up and seem to work fine. Gets an IP address and everything from the internal DHCP (Proxmox default is apparently 10.0.2.0/24 as I never changed that).

I can even do DNS lookups on the (probably) passthrough 10.0.2.3. And the 10.0.2.2 shows the Proxmox web interface if I go to it in a browser.

Code: 
cat /proc/sys/net/ipv4/ip_forward
1

IP Forwarding is one

I currently have not a single rule in IPTables

Code: 
# Generated by iptables-save v1.4.8 on Mon Jun 11 23:21:06 2012
*nat
:PREROUTING ACCEPT [616:32473]
:POSTROUTING ACCEPT [395:24316]
:OUTPUT ACCEPT [346:21251]
COMMIT
# Completed on Mon Jun 11 23:21:06 2012
# Generated by iptables-save v1.4.8 on Mon Jun 11 23:21:06 2012
*mangle
:PREROUTING ACCEPT [21897:4212794]
:INPUT ACCEPT [13500:2312159]
:FORWARD ACCEPT [8365:1899091]
:OUTPUT ACCEPT [12401:4403267]
:POSTROUTING ACCEPT [20766:6302358]
COMMIT
# Completed on Mon Jun 11 23:21:06 2012
# Generated by iptables-save v1.4.8 on Mon Jun 11 23:21:06 2012
*filter
:INPUT ACCEPT [13271:2280773]
:FORWARD ACCEPT [8324:1896152]
:OUTPUT ACCEPT [12173:4364814]
:fail2ban-ssh - [0:0]
:fail2ban-ssh-ddos - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-ddos -j RETURN
COMMIT
# Completed on Mon Jun 11 23:21:06 2012

I've even tried using a slightly modified IPTables ruleset that I use on my non proxmox KVM systems to get NAT working

Code: 
*nat
:PREROUTING ACCEPT [661:21364]
:POSTROUTING ACCEPT [58069:3670258]
:OUTPUT ACCEPT [58069:3670258]
-A POSTROUTING -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [1212620:674141323]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1518464:780474182]
-A INPUT -i vmbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i vmbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i vmbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i vmbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 10.0.2.0/24 -o vmbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.2.0/24 -i vmbr0 -j ACCEPT
-A FORWARD -i vmbr0 -o vmbr0 -j ACCEPT
-A FORWARD -o vmbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i vmbr0 -j REJECT --reject-with icmp-port-unreachable
COMMIT

Also, no dice.

I don't use the standard network setup though, my host uses eth0 for the internal datacenter network for server<=> server connections and eth1 is public. So my /etc/network/interfaces is like so

Code: 
auto eth0
iface eth0 inet static
        address 172.24.112.130
        netmask 255.255.255.128
        broadcast 172.24.112.255

auto lo
iface lo inet loopback

auto vmbr0
iface vmbr0 inet static
        address XXX.XXX.XXX.XXX
        netmask 255.255.255.248
        gateway XXX.XXX.XXX.XXX
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0

What exactly am I missing here? I really have no idea what is wrong here...
 
TheReelaatiiv said:
Try
iptables -t nat -A POSTROUTING -s 10.0.2.15 -j MASQUERADE

Sent from my GT-I9100 using Tapatalk
Click to expand...

Tried that (happened to be the IP the DHCP gave to the VM) and with 10.0.2.0/24 and neither worked. I really am stumped as to why this is being so insanely difficult...
 
Yep but i think, sysctl reads this from /etc/sysctl.conf

Thats a very strange and funny thing :-$

Sent from my GT-I9100 using Tapatalk
 
TheReelaatiiv said:
Yep but i think, sysctl reads this from /etc/sysctl.conf

Thats a very strange and funny thing :-$

Sent from my GT-I9100 using Tapatalk
Click to expand...

I used cat in my original post, and sysctl in the quote reply. I really have no idea what is going on...
 
Have you tried clearing all iptables rules in FORWARD? iptables -F FORWARD && iptables -P FORWARD ACCEPT

Sent from my GT-I9100 using Tapatalk
 
TheReelaatiiv said:
Have you tried clearing all iptables rules in FORWARD? iptables -F FORWARD && iptables -P FORWARD ACCEPT

Sent from my GT-I9100 using Tapatalk
Click to expand...

As I also said in my original post, I currently have absolutely no rules in iptables, and I used my kvm base rules slightly modified to fit proxmox, both of which didn't do anything for me...
 
das7002 said:
As I also said in my original post, I currently have absolutely no rules in iptables, and I used my kvm base rules slightly modified to fit proxmox, both of which didn't do anything for me...
Click to expand...

Did you ever get this to work?
I have the same issues under 2.1 ProxMox.
The odd thing is I could get out with OpenBSD, but not FreeBSD.
I didn't make any changes in either case. The Internal router address 10.0.2.2 is accessible.
In the case of OpenBSD the default route works but FreeBSD will not router beyond the 10.0.X.X.
I have also observed that a second KVM that's using NAT comes up with the same IP but different MAC.
It's like DHCP is not managing the addresses and routing properly.
How can I debug the ProxMox DHCP functionality ?
Any help would be great. Thanks !
 
No, I never did, I kind of just gave up on it and got more IPs from my host (even though I didn't want to)
 
Just to let you know that I do have the exact same problem with proxmox v2.1.14.
Network does work during a Debian/Squeeze installation, but not anymore on the system after the first reboot.
I'll let you know if I can find a fix or workaround.
 
Still having this issue with Proxmox 4.4-13, anyone found a fix yet? Surprisingly, in the qemu config I have this: args: --redir tcp:2222::22 --redir tcp:4000::4000 --redir tcp:4001::4001 --redir tcp:4002::4002, this allows me to connect through ssh on port 2222, which works. Just outside traffic is having issues.
 
You must log in or register to reply here.
Top Bottom