I have setup a configuration to allow containers to be NATed with my host's public IP so that I can download / update containers (they do not need to be accessed from the host). It works well but only if my container network interface is not firewalled by pve-firewall. More precisely, if I switch-on pve-firewall the SNAT rule on the host does not seem to apply on my container's outgoing traffic.
Here is my setup (tested on proxmox 3.3.5 and 3.4.1) :
- Host has public IP w.x.y.z on vmbr0 bridge (host's eth0 plugged into that bridge)
- Bridge vmbr2 is dedicated to outgoing traffic for my containers. Host has 10.0.0.1 on vmbr2, containers have virtual interfaces with address in 10.0.0.0/24 and have 10.0.0.1 as their default gateway
for the example below, a container has eth0 with 10.0.0.10
- host's SNAT rule : iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j SNAT --to-source w.x.y.z
It works very well with pve-firewall not activated on container's eth0.
- for instance, dig www.google.com @8.8.8.8 from inside the container
- gives me this output with a tcpdump in the host :
However if I activate pve-firewall on container's eth0, I get that tcpdump output :
In the first case, the snat rule is applied, in the second case the request goes out with my container's non-routable internal IP.
I came to the conclusion that the iptable rules added when I switch on container/eth0 pve-firewalling, somehow disable nat processing for that container's packets. But I could not find exactly where and why.
Can someone help me understand what's happening here ?
Kind regards,
Nicolas
Here is my setup (tested on proxmox 3.3.5 and 3.4.1) :
- Host has public IP w.x.y.z on vmbr0 bridge (host's eth0 plugged into that bridge)
- Bridge vmbr2 is dedicated to outgoing traffic for my containers. Host has 10.0.0.1 on vmbr2, containers have virtual interfaces with address in 10.0.0.0/24 and have 10.0.0.1 as their default gateway
for the example below, a container has eth0 with 10.0.0.10
- host's SNAT rule : iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j SNAT --to-source w.x.y.z
It works very well with pve-firewall not activated on container's eth0.
- for instance, dig www.google.com @8.8.8.8 from inside the container
- gives me this output with a tcpdump in the host :
Code:
tcpdump -n -i vmbr0 port 53
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on vmbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 14:41:53.652325 IP [B]w.x.y.z[/B].41029 > 8.8.8.8.53: 35348+ A? www.google.com. (32)
> 14:41:53.662983 IP 8.8.8.8.53 > 10.0.0.10.41029: 35348 1/0/0 A 216.58.211.100 (48)However if I activate pve-firewall on container's eth0, I get that tcpdump output :
Code:
tcpdump -n -i vmbr0 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:45:44.242616 IP [B]10.0.0.10[/B].47279 > 8.8.8.8.53: 64472+ A? www.google.com. (32)In the first case, the snat rule is applied, in the second case the request goes out with my container's non-routable internal IP.
I came to the conclusion that the iptable rules added when I switch on container/eth0 pve-firewalling, somehow disable nat processing for that container's packets. But I could not find exactly where and why.
Can someone help me understand what's happening here ?
Kind regards,
Nicolas