Default Source NATting (SNAT) to Proxmox Network IP

[h2owasser]

I’m experiencing an issue where all packets from a virtual machine (VM) are being sent using the IP address of the Proxmox VE (PVE) host. Here are the details:

• The output from my iptables command shows SNAT in the POSTROUTING chain:

$ sudo iptables -t nat -L -n -v
Chain POSTROUTING (policy ACCEPT 7553 packets, 502K bytes)
368K   22M SNAT       all  --  *      vmbr0   192.168.178.0/24     0.0.0.0/0            to:192.168.178.178
0      0   SNAT       all  --  *      vmbr0   192.168.178.0/24     0.0.0.0/0            to:192.168.178.178

1. Is there a way to disable SNAT for my VMs?
2. Why does the same SNAT rule appear twice?
3. Where is the information about this SNAT rule stored, as I couldn’t find any reference in /etc/network/interfaces

Any insights would be greatly appreciated!

 

[Max Carrara]

What does your /etc/network/interfaces look like? Could you please post it here?

Also, have you configured anything else, like SDN for example?

Just to rule out any other potential sources, are you using anything else to manage your host's network configuration?

 

[h2owasser]

The config is quite easy:

auto vmbr0
iface vmbr0 inet static
    address 192.168.178.178/24
    gateway 192.168.178.1
    bridge-ports bond0
    bridge-stp off
    bridge-fd 0

I configured SDN, but delete all networks, so the current configurations is empty. Basically the Firewall is enabled, but i can't find a corresponding rule.

 

[Max Carrara]

The config is quite easy:

auto vmbr0
iface vmbr0 inet static
    address 192.168.178.178/24
    gateway 192.168.178.1
    bridge-ports bond0
    bridge-stp off
    bridge-fd 0

I configured SDN, but delete all networks, so the current configurations is empty. Basically the Firewall is enabled, but i can't find a corresponding rule.

Hmm, I see.

Maybe it's something that got left behind due to something else then; perhaps from an older configuration. (E.g. running iptables commands in /etc/network/interfaces by using post-up / post-down statements.)

Anyhow, you should be able to remove the rules by running the following command twice:

iptables -t nat -D POSTROUTING -s '192.168.178.0/24' -o vmbr0 -j SNAT --to-source 192.168.178.178

If something goes wrong and you need to add the rule back for some reason, replace the -D with -A.

 

[h2owasser]

Hmm, I see.

Maybe it's something that got left behind due to something else then; perhaps from an older configuration. (E.g. running iptables commands in /etc/network/interfaces by using post-up / post-down statements.)

Anyhow, you should be able to remove the rules by running the following command twice:

iptables -t nat -D POSTROUTING -s '192.168.178.0/24' -o vmbr0 -j SNAT --to-source 192.168.178.178

If something goes wrong and you need to add the rule back for some reason, replace the -D with -A.

These settings are not only applied to an individual node, but to all Proxmox cluster members, each with its own IP address. This could indicate a bug, as the rule is deployed twice and there is no obvious option to deactivate this behavior.


SNAT can break security mechanisms such as source address checking and TLS between nodes.

 

[h2owasser]

I can confirm now: Deactivating the firewall on the NODE removes the SNAT rule. This rule seems to be necessary for the firewall to work properly for VMs. I'm not sure if this behavior is really appreciated.

Thanks for helping me out