Firewall VM with single IP?

[kameleon]

I have an OVH dedicated server that only has a single IP. I would like to secure this host by running a firewall VM but all the howtos I see use two IP's. How would I go about setting this up so that all traffic is routed through the firewall VM?

I am running Virtual Environment 7.2-7. I did find a nice writeup on using shorewall but that was from 2009 and did not apply to anything modern.

 

[t.lamprecht]

I would like to secure this host by running a firewall VM

You could use the built-in FW directly: https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html

How would I go about setting this up so that all traffic is routed through the firewall VM?

It can be done by giving the single IP address the firewall VM directly and let the PVE webinterface and SSH get NAT'd through, but it's IMO a brittle setup that will make your host inaccessible if the FW VM fails to start - as long as you have an out of band access (IMPI/iKVM/...) to the server that may be fine, but I'd rather handle this on the PVE host directly or get another IP address.

 

[Code-Exec]

Look for my decision. https://forum.proxmox.com/threads/proxmox-nat-on-gui-for-everyone.82323/