Default Bridge and Masq (NAT) with iptables tables

P

pablo808

New Member
May 22, 2024
15
1
3
Sydney, Australia
Is it possible to have both the Default Configuration using a Bridge and Masquerading (NAT) with iptables with one physical interface?

I currently have Masquerading (NAT) with iptables setup and it's a pain adding NAT rules to /etc/network/interfaces for each service I want to open up to the rest of the network.

Code: 
auto lo
iface lo inet loopback

auto eno1
# real ip
iface eno1 inet static
    address 192.168.4.2/24
    gateway 192.168.4.1

auto vmbr0
# vm network
iface vmbr0 inet static
    address 192.168.5.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.5.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.5.0/24' -o eno1 -j MASQUERADE
        post-up   iptables -t nat -A PREROUTING -p tcp -i eno1 --dport 2222 -j DNAT --to-destination 192.168.5.3:22
        post-down iptables -t nat -D PREROUTING -p tcp -i eno1 --dport 2222 -j DNAT --to-destination 192.168.5.3:22
#work

iface wlp1s0 inet manual

source /etc/network/interfaces.d/*
 
Hello,
Instead of calling each iptables rule in /etc/network/interfaces, just call a whole script.
In /etc/network/interfaces:
Code: 
...
    pre-up /root/scripts/my_nice_iptables_script.sh

And then, in "my_nice_iptables_script.sh" :

Code: 
#!/bin/bash
 echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s '192.168.5.0/24' -o eno1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -i eno1 --dport 2222 -j DNAT --to-destination 192.168.5.3:22
...

And yes btw, using DNAT --to-destination I'm afraid you'll have to specify each port you want to masquerade to your vms. But doing this in a script will de-clutter your /etc/network/interfaces file and allow you to have a single file for your whole configuration once and for all.

Kind regards,

GD
 
Last edited:
  • Like
Reactions: pablo808
Thank you for the suggestion in regards to setting up a script to masquerade the ports to the VM's. I might give that a try.

Whenever I add new NAT rules, and restart the network they dont seem to apply. I've also tried the command ifupdown2 so didnt seem to work. I had to reboot the pve box instead.

What is the correct way to apply the new pve network config after updating /etc/network/interfaces without a reboot?
 
There's no need to restart the network to see IPtables rules applied. They apply right at the moment you command them.
See them with:

Code: 
# iptables -L -t nat

This means you can call your script without reloading /etc/network/interfaces .
Should you still need to, reloading the network without rebooting goes with:

Code: 
# ifreload -a

It is highly recommended to flush iptables rules each time you modify them, so that the config doesn't stack up with former rules. Do it with :

Code: 
# iptables -F
# iptables -X

It could even be a good idea to set those two lines at the very beginning of your script, to avoid any mismatch between "old" and "new" rules while you write your config.

Kind regards,

GD
 
Last edited:
  • Like
Reactions: pablo808
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom