DNAT/SNAT via pve-firewall PREROUTING/POSTROUTING

tirili

Member
Sep 19, 2018
55
1
8
50
Hello,

is there any way to configure DNAT, and SNAT to hosts via pve-firewall?

Currently we use for outgoing connections:

iptables -t nat -A POSTROUTING -s 192.168.64.0/24 -o vmbr0 -j SNAT --to-source 5.7.9.99
iptables -t nat -A POSTROUTING -s 192.168.80.102/32 -o vmbr0 -j SNAT --to-source 5.7.9.102

and for incoming connections:

iptables -t nat -A PREROUTING -d 5.7.9.102/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.80.102:443
iptables -t nat -A PREROUTING -d 5.7.9.101/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.80.101:443

But when restarting pve-firewall, these are lost.
Any help is appreciated.

Best regards
Thomas
 
pve-firewall should leave the nat table alone.. are you sure it's not something else interfering?
 
The question is, how could it be done using the pve-firewall completely? I do not want to have 2 locations where I have to change firewall rules.
 
The question is, how could it be done using the pve-firewall completely? I do not want to have 2 locations where I have to change firewall rules.

pve-firewall does not support setting up NAT / port forwarding / .. (yet). it would be a nice addition though!
 
Hi,also, if you need to use firewall + nat, it's need conntrack zones :

iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
iptables -t raw -I POSTROUTING -i fwbr+ -j CT --zone 1

Dear Spirit, in case of SNAT/DNAT, do we really need add POSTROUTING rule? In my case PVE firewall works for outgoing rules without POSTROUTING rule (PVE 5.2).

Code:
allow-hotplug eth0
iface eth0 inet static
        address 192.168.XX.XX
        netmask 255.255.255.0
        gateway 192.168.XX.XX

auto vmbr0
iface vmbr0 inet static
        address  10.10.XX.XX
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward

        post-up   iptables -t nat -A POSTROUTING -s 10.10.xx.x/24 -o eth0 -j SNAT --to-source 192.168.XX.XX
        post-down iptables -t nat -D POSTROUTING -s 10.10.xx.x/24 -o eth0 -j SNAT --to-source 192.168.XX.XX

        post-up   iptables -t raw -I PREROUTING  -i fwbr+ -j CT --zone 1


Also I wonder, how pve-firewall works on outgoing traffic rules. For example, if I define blocking outgoing rule on cluster/node level, rule affects host, not VMs. If I define blocking outgoing rule on VM level, everything is fine. Why so? Why outgoing blocking rule on cluster/node level do not affects VMs?
 
>> If I define blocking outgoing rule on VM level, everything is fine. Why so? Why outgoing blocking rule on cluster/node level do not >>affects VMs?

because cluster/node level rules are iptables INPUT/OUPUT chain , and vm rules are in FORWARD chain.

(cluster/node level rules are only used to protected your host , not your vms)
 
Hi there,

I can confirm that pve-firewall work well on both VMs and CTs while using iptables with both SNAT and DNAT.
The tricky part was to understand the flow.

Here are the most important aspects to have in mind:

1) first setup SNAT and DNAT in iptables *nat chain
2) set in the iptables *filter section the default action for the FORWARD chain:
Code:
:FORWARD ACCEPT
Don't worry you can still DROP/REJECT any unwanted packets from the FORWARD chain in iptables. Just add your rules in the FORWARD iptables chain
3) in the *raw section from your iptables you need this for proxmox firewall to work with NAT:
Code:
-A PREROUTING -i fwbr+ -j CT --zone 1
You can trace your iptables rules by adding this into your iptables *raw section:
## trace ping for example
Code:
-A PREROUTING -p icmp -j TRACE
4) write your pve-firewall rules for VM's or CTs as these should work properly now.
5) Test, Test , Test :)

Many thanks for the contributions of other users!
 
Hi there,

I can confirm that pve-firewall work well on both VMs and CTs while using iptables with both SNAT and DNAT.
The tricky part was to understand the flow.

Here are the most important aspects to have in mind:

1) first setup SNAT and DNAT in iptables *nat chain
2) set in the iptables *filter section the default action for the FORWARD chain:
Code:
:FORWARD ACCEPT
Don't worry you can still DROP/REJECT any unwanted packets from the FORWARD chain in iptables. Just add your rules in the FORWARD iptables chain
3) in the *raw section from your iptables you need this for proxmox firewall to work with NAT:
Code:
-A PREROUTING -i fwbr+ -j CT --zone 1
You can trace your iptables rules by adding this into your iptables *raw section:
## trace ping for example
Code:
-A PREROUTING -p icmp -j TRACE
4) write your pve-firewall rules for VM's or CTs as these should work properly now.
5) Test, Test , Test :)

Many thanks for the contributions of other users!
would you please explain a little easier?
 
I noticed that for masquerade/SNAT/DNAT to work the local firewall has to be enabled on at least one vm, then it works also for all the other vm's.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!