Hi!
I am trying to setup NAT for my VM/CT from that post https://forum.proxmox.com/threads/pve-6-2-private-vm-nat-network-configuration-setup.71038/
And everything is working fine, I have internet access in my VM/CT.
But when I enable Firewall in datacenter then it stops working.
Here is my iptables-save before enabling firewall:
And after enabling firewall:
Any idea how can I use Datacenter firewall without loosing the NAT setup?
I need that to work because my server has only one public ip address and I need more services from some CT/VM be public.
Thanks for any help
I am trying to setup NAT for my VM/CT from that post https://forum.proxmox.com/threads/pve-6-2-private-vm-nat-network-configuration-setup.71038/
And everything is working fine, I have internet access in my VM/CT.
But when I enable Firewall in datacenter then it stops working.
Here is my iptables-save before enabling firewall:
Code:
# Generated by iptables-save v1.8.2 on Thu Apr 22 10:21:16 2021
*raw
:PREROUTING ACCEPT [3861:838454]
:OUTPUT ACCEPT [3057:781730]
COMMIT
# Completed on Thu Apr 22 10:21:16 2021
# Generated by iptables-save v1.8.2 on Thu Apr 22 10:21:16 2021
*filter
:INPUT ACCEPT [2329:472588]
:FORWARD ACCEPT [8:658]
:OUTPUT ACCEPT [1974:455103]
-A INPUT -i tun0 -m comment --comment pritunl-60812375d808aefea5e3909f -j ACCEPT
-A FORWARD -o tun0 -m comment --comment pritunl-60812375d808aefea5e3909f -j ACCEPT
-A FORWARD -i tun0 -m comment --comment pritunl-60812375d808aefea5e3909f -j ACCEPT
-A OUTPUT -o tun0 -m comment --comment pritunl-60812375d808aefea5e3909f -j ACCEPT
COMMIT
# Completed on Thu Apr 22 10:21:16 2021
# Generated by iptables-save v1.8.2 on Thu Apr 22 10:21:16 2021
*nat
:PREROUTING ACCEPT [365:38159]
:INPUT ACCEPT [99:8815]
:OUTPUT ACCEPT [17:1079]
:POSTROUTING ACCEPT [17:1079]
-A POSTROUTING -s 192.168.226.0/24 -d 192.168.220.0/24 -o vmbr1 -m comment --comment pritunl-60812375d808aefea5e3909f -j MASQUERADE
-A POSTROUTING -s 192.168.226.0/24 -o vmbr0 -m comment --comment pritunl-60812375d808aefea5e3909f -j MASQUERADE
-A POSTROUTING -s 192.168.220.0/24 -o vmbr0 -j MASQUERADE
COMMIT
# Completed on Thu Apr 22 10:21:16 2021
Code:
# Generated by iptables-save v1.8.2 on Thu Apr 22 10:22:28 2021
*raw
:PREROUTING ACCEPT [6542:1441725]
:OUTPUT ACCEPT [4793:1423639]
COMMIT
# Completed on Thu Apr 22 10:22:28 2021
# Generated by iptables-save v1.8.2 on Thu Apr 22 10:22:28 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
-A INPUT -i tun0 -m comment --comment pritunl-60812375d808aefea5e3909f -j ACCEPT
-A INPUT -j PVEFW-INPUT
-A FORWARD -o tun0 -m comment --comment pritunl-60812375d808aefea5e3909f -j ACCEPT
-A FORWARD -i tun0 -m comment --comment pritunl-60812375d808aefea5e3909f -j ACCEPT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -o tun0 -m comment --comment pritunl-60812375d808aefea5e3909f -j ACCEPT
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:Ijl7/xz0DD7LF91MlLCz0ybZBE0"
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -i vmbr0 -p udp -m udp --dport 13511 -j RETURN
-A PVEFW-HOST-IN -i tun0 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -i tun0 -p tcp -m tcp --dport 8007 -j RETURN
-A PVEFW-HOST-IN -i tun0 -p tcp -m tcp --dport 18169 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:1/vx0fZbvR1gYUl7BtvW7K/68GU"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:slA9+eGCoAqR09eovbprlFksyFw"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
COMMIT
# Completed on Thu Apr 22 10:22:28 2021
# Generated by iptables-save v1.8.2 on Thu Apr 22 10:22:28 2021
*nat
:PREROUTING ACCEPT [853:87215]
:INPUT ACCEPT [155:13553]
:OUTPUT ACCEPT [19:1215]
:POSTROUTING ACCEPT [19:1215]
-A POSTROUTING -s 192.168.226.0/24 -d 192.168.220.0/24 -o vmbr1 -m comment --comment pritunl-60812375d808aefea5e3909f -j MASQUERADE
-A POSTROUTING -s 192.168.226.0/24 -o vmbr0 -m comment --comment pritunl-60812375d808aefea5e3909f -j MASQUERADE
-A POSTROUTING -s 192.168.220.0/24 -o vmbr0 -j MASQUERADE
COMMIT
# Completed on Thu Apr 22 10:22:28 2021Any idea how can I use Datacenter firewall without loosing the NAT setup?
I need that to work because my server has only one public ip address and I need more services from some CT/VM be public.
Thanks for any help