I have a question related to using SSH with the Proxmox server and LXC containers that are setup on the server. The current setting is that we have our public keys on the server and in the containers and we jump from the server to the containers. Now we are working with other people that only need acces to the containers and not the server root itself but in the current setup (since their key is also on the server) they could end up in the root of the server and accidentally change things.
Now I am looking for a setup where they have no chance to get into the root of the server. The idea I have is to use port forwarding to directly go to the containers instead of having to jump into the server and then into the container. I don't know if this is feasible or possible or how to achieve it, so If somebody can help me with this idea or another one that eventually solves the same problem I would be gratefull. Something to note: It is a secure network so we can only have one mac-address, all traffic though the server.
Current ssh config (example names and IP):
Host Server
User root
HostName xxx.xxx.xx.xxx
Host Container
User root
ProxyJump Server
Hostname 190.190.0.14
The current server network config:
auto lo
iface lo inet loopback
auto eno1
iface eno1 inet static
address 100.100.10.5/22
gateway 100.100.10.1
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up echo 1 > /proc/sys/net/ipv4/conf/eno1/proxy_arp
auto vmbr4001
iface vmbr4001 inet static
address 190.190.0.13/24
bridge-ports eno1.4001
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables --table nat --append POSTROUTING --source '190.190.0.0/24' --output-interface
post-down iptables --table nat --delete POSTROUTING --source '190.190.0.0/24' --output-interface
post-up iptables --table raw --insert PREROUTING --in-interface fwbr+ --jump CT --zone 1
post-down iptables --table raw --insert PREROUTING --in-interface fwbr+ --jump CT --zone 1
Now I am looking for a setup where they have no chance to get into the root of the server. The idea I have is to use port forwarding to directly go to the containers instead of having to jump into the server and then into the container. I don't know if this is feasible or possible or how to achieve it, so If somebody can help me with this idea or another one that eventually solves the same problem I would be gratefull. Something to note: It is a secure network so we can only have one mac-address, all traffic though the server.
Current ssh config (example names and IP):
Host Server
User root
HostName xxx.xxx.xx.xxx
Host Container
User root
ProxyJump Server
Hostname 190.190.0.14
The current server network config:
auto lo
iface lo inet loopback
auto eno1
iface eno1 inet static
address 100.100.10.5/22
gateway 100.100.10.1
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up echo 1 > /proc/sys/net/ipv4/conf/eno1/proxy_arp
auto vmbr4001
iface vmbr4001 inet static
address 190.190.0.13/24
bridge-ports eno1.4001
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables --table nat --append POSTROUTING --source '190.190.0.0/24' --output-interface
post-down iptables --table nat --delete POSTROUTING --source '190.190.0.0/24' --output-interface
post-up iptables --table raw --insert PREROUTING --in-interface fwbr+ --jump CT --zone 1
post-down iptables --table raw --insert PREROUTING --in-interface fwbr+ --jump CT --zone 1
