Hetzner 1 IP - proxmox - CT All work but can't NAT to my CT

[KatiaSishost]

Hello, I have problems doing a NAT. I have a dedicated Hetzner with only 1 public IP.

Install Proxmox and create a vmbr0 with the data of the public ip then create a mvbr1 with the ip 192.168.10.1
Then create my CT, with the ip 192.168.10.100

Install a Web Server in my CT.

and on my private server with proxmox modify /etc/network/interfaces as follows.

source /etc/network/interfaces.d/*

car it
iface lo inet loopback

iface lo inet6 loopback

iface enp4s0 inet manual

car vmbr0
iface vmbr0 inet static
         address 176.9.6.5/27
         gateway 176.9.6.9
         bridge-ports enp4s0
         bridge stp off
         bridge-fd 0
         postup sysctl -w net.ipv4.ip_forward=1
         post-up iptables -t nat -A PREROUTING -i enp4s0 -p tcp -m multiport ! --dport 8006 -j DNAT --to 192.168.10.100
         post-up iptables -t nat -A PREROUTING -i enp4s0 -p udp -j DNAT --to 192.168.10.100
#route 176.9.6.8/27 via 176.9.6.9

iface vmbr0 inet6 static
         address 2a01:4f8:160:2458::2/64
         gateway fe80::1

car vmbr1
iface vmbr1 inet static
         address 192.168.10.1/24
         bridge-ports none
         bridge stp off
         bridge-fd 0
         post-up iptables -t nat -A POSTROUTING -s '192.168.10.100/24' -o vmbr0 -j MASQUERADE
         post-down iptables -t nat -D POSTROUTING -s '192.168.10.100/24' -o vmbr0 -j MASQUERADE

I can log in to proxmox from outside and ssh into proxmox with no problem....



My CT can ping 1.1.1.1... google no problem... I can ping 192.168.10.1 and 192.168.10.100

My Proxmox can ping 1.1.1.1... google no problem... can ping 192.168.10.1 and 192.168.10.100

The only problem I have is that I can't access my webserver from the outside.

What I need is to pass port 8006 and 22 to proxmox and the rest to CT to use the webserver/email-server etc.

 

[Chris]

Hi,
for the container to be reached behind the NAT, you will have to port forward traffic from your PVE host to the container. You can do this by adding post-up hooks e.g.

iptables -t nat -A PREROUTING -i <iface> -p tcp --dport <port> -j DNAT --to <target-ip:target-port>
iptabes -A FORWARD -p tcp -d <target-ip> --dport <target-port> -j ACCEPT

 

[KatiaSishost]

UPDATE:

i solve it with:
iptables -t nat -A PREROUTING -p tcp -d 198.0.10.172 --dport 80 -i vmbr0 -j DNAT --to-destination 192.168.10.160:
iptables -t nat -A PREROUTING -p tcp -d 198.0.10.172 --dport 443 -i vmbr0 -j DNAT --to-destination 192.168.10.160:443

Now I am going to investigate how to divide the ports haha

 

[Chris]

Now I am going to investigate how to divide the ports haha

What do you mean by that? You cannot forward the traffic to the same port to different containers if that is what you mean. For such setups you require a reverse proxy such as e.g. nginx or haproxy, which selects your backend based on e.g. SNI.