IPtables Port Forward to CT on vmbr0 not completing

O

ossvirt

Member
Mar 13, 2013
14
1
23
Using a new install of Proxmox 4.2-11/2c626aa1. Setting up a port forward using IPtables of external port 80 to internal port 80 on an Nginx container running as a reverse proxy. I've had this working before, there shouldn't be anything to it. I know the Nginx container is running as I can see the webpage by forwarding through an ssh tunnel like this :

Code: 
ssh -R 47000:10.3.0.2:80 root@artemis

However I get no response on port 80 on the external IP. Any help much appreciated, there's some detail I've overlooked.

Proxmox Host /etc/network/interfaces :

Code: 
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 1.2.3.10
        netmask 255.255.255.192
        gateway 1.2.3.4
        dns-nameservers 217.112.87.147 217.112.88.10 217.112.88.90
        post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

auto vmbr0
iface vmbr0 inet static
        address 10.3.0.1
        netmask 255.255.255.128
        dns-nameservers 217.112.87.147 217.112.88.10 217.112.88.90
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.3.0.0/25' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.3.0.0/25' -o eth0 -j MASQUERADE
        post-up iptables -t nat -A PREROUTING -i any -p tcp --dport 80 -j DNAT --to 10.3.0.2:80
        post-down iptables -t nat -D PREROUTING -i any -p tcp --dport 80 -j DNAT --to 10.3.0.2:80

Nginx Guest /etc/network/interfaces :

Code: 
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address 10.3.0.2
    netmask 255.255.255.128
# --- BEGIN PVE ---
    post-up ip route add 1.2.3.10 dev eth0
    post-up ip route add default via 1.2.3.10 dev eth0
    pre-down ip route del default via 1.2.3.10 dev eth0
    pre-down ip route del 1.2.3.10 dev eth0
# --- END PVE ---
 
Came back to bump. Can anyone recommend ways to troubleshoot this problem? I'm a bit out of my depth. Can I test whether everything that needs to be enabled actually is? Can I use some terminal tool to see how far the packets get and where the break is?

Thanks for any help.
 
I think it is the iptables rule. Everything else seems to work. I have tried this alternative rule but it still isn't right :

Code: 
post-up iptables -t nat -A PREROUTING -p tcp -d 1.2.3.10 --dport 80 -j DNAT --to-destination 10.3.0.2:80
post-down iptables -t nat -D PREROUTING -p tcp -d 1.2.3.10 --dport 80 -j DNAT --to-destination 10.3.0.2:80

Any help with iptables formatting would be immensely appreciated.
 
Can anyone recommend ways to troubleshoot this problem? I'm a bit out of my depth. Can I test whether everything that needs to be enabled actually is? Can I use some terminal tool to see how far the packets get and where the break is?

Thanks for any help.
Click to expand...

Hello ossvirt, you could try to use tcpdump to record the traffic at the different points and view it with wireshark . Or use nc (netcat) to test connections. Or use netcat and tcpdump in combination. Or look at the logs of the firewall to see rejected requests. Or try arp -n to learn something about the actual network configuration.

With best regards

Andreas
 
  • Like
Reactions: ossvirt
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back