Can't get port forwarding to work

[electricduck]

Hello all,

Following various guides around the Internet, my /etc/interfaces/network file has come to look like this...

# network interface settings
auto lo
iface lo inet loopback

iface eth0 inet manual

iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
    address  62.210.139.3
    netmask  255.255.255.0
    gateway  62.210.139.1
    bridge_ports eth0
    bridge_stp off
    bridge_fd 0

#auto vmbr0:0
#iface vmbr0:0 inet static
#address 192.168.4.1
#netmask 255.255.255.0
#network 192.168.4.0
#broadcast 192.168.4.255

auto vmbr1
iface vmbr1 inet static
    address 10.99.0.254
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0

    # Turn on Port Forwarding
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward

    # Set VMs to Masquerade
    post-up iptables -t nat -A POSTROUTING -s '10.99.0.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.99.0.0/24' -o vmbr0 -j MASQUERADE

This all works. I am able to access the Internet, use TeamViewer, etc. on my Windows Server (IP: 10.99.0.7) (connected to vmbr1)

However, when I go to add this to forward services such as IIS and RDP...

# Forward Ports
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 4489 -j DNAT --to-destination 10.99.0.7:3389
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 4489 -j DNAT --to-destination 10.99.0.7:3389
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 81 -j DNAT --to-destination 10.99.0.7:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 81 -j DNAT --to-destination 10.99.0.7:80

...the Internet on the VM stops working and non of the ports actually forward (for example, RDP runs on port 3389, however, I cannot access it outside on port 4489 on my only outside IP).

What exactly am I doing wrong here?

-- Josh

 

[Nemesiz]

Try this one longer iptables rule

iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --syn -s 0.0.0.0/0 --sport 1024:65535 -d 62.210.139.3/32 --dport 4489 -m state --state NEW -j DNAT --to-destination 10.99.0.7:3389

 

[electricduck]

Try this one longer iptables rule

That doesn't work either. I still can't get access to RDP (I have verified that it is working by connecting to localhost on the VM).

 

[Nemesiz]

Try to test from HS not only from VM. Maybe some firewall inside VM are blocking. Try to catch the packets with tcpdump to see iptables works or not

tcpdump -ni tapxxx port 3389

 

[kobuki]

I think your problem is that you have an IP alias on vmbr0. The MASQUERADE target is probably catching this address. Otherwise your rules look fine to me. What if you change the interfaces line like this (you don't need apostrophes):

    post-up iptables -t nat -A POSTROUTING -s 10.99.0.0/24 -o vmbr0 -j SNAT --to-source 62.210.139.3

EDIT: sorry, I haven't noticed that you commented out the IP alias (it's Sunday after all). In that case, I have no idea, maybe other's suggestions will help.

 

[electricduck]

I think your problem is that you have an IP alias on vmbr0. The MASQUERADE target is probably catching this address. Otherwise your rules look fine to me. What if you change the interfaces line like this (you don't need apostrophes):

    post-up iptables -t nat -A POSTROUTING -s 10.99.0.0/24 -o vmbr0 -j SNAT --to-source 62.210.139.3

EDIT: sorry, I haven't noticed that you commented out the IP alias (it's Sunday after all). In that case, I have no idea, maybe other's suggestions will help.

Yes, yes! This works! Thank you!

I've never been this happy on a Monday before...

--

To anyone interested, my final config looks like this...

# network interface settings
auto lo
iface lo inet loopback


iface eth0 inet manual


iface eth1 inet manual


auto vmbr0
iface vmbr0 inet static
        address  62.210.139.3
        netmask  255.255.255.0
        gateway  62.210.139.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0


auto vmbr1
iface vmbr1 inet static
    address 10.99.0.254
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0


        # Turn on Port Forwarding
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward


        # Forward Ports
        post-up iptables -t nat -A POSTROUTING -s 10.99.0.0/24 -o vmbr0 -j SNAT --to-source 62.210.139.3
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 4489 -j DNAT --to-destination 10.99.0.7:3389

That last line tells RDP, running on port 3389 on 10.99.0.7 to forward to my single outside IP on port 4489.

 

[kobuki]

I'm glad I could help but out of curiosity: do you have any secondary/alias IP on any of the interfaces? With a single IP MASQ target should work without problems. Could you post the output of "ip a" command for example? Thanks.

 

[Scheduling-Software]

Sir. There are a few things I don't understand about your post.
1. Can you post some screenshots for the following screenshots I took off of my system (which is probably configured incorrectly because I can't get RDP to work) I would just like to see your complete setup as I am having troubles.

 

[PMoxSudo]

Nice necro, but wanted to say thanks for proxmox.

Also wanted to say thanks to you, I've modded your settings to mine at online.net server and got windows rdp working on my port.

Looks nice. Thanks!

Anyway, here's my modded config:

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

allow-hotplug eth0

iface eth0 inet manual

iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
  address  mypublicipaddress
  netmask  255.255.255.0
   gateway mydefaultgateway
  bridge_ports eth0
  bridge_stp off
  bridge_fd 0

auto vmbr1
iface vmbr1 inet static
  address 10.10.10.1
  netmask 255.255.255.0
  bridge_ports none
  bridge_stp off
  bridge_fd 0

  post-up echo 1 > /proc/sys/net/ipv4/ip_forward

   #Nat port forward to windows 2008 r2 machine
   post-up iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o vmbr0 -j SNAT --to-source mypublicipaddress
   post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 20000 -j DNAT --to-destination 10.10.10.50:3389

  #MASQUERADE https://pve.proxmox.com/wiki/Proxmox_VE_Firewall
#  post-up  iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
#  post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE