[SOLVED] Hosting Websites Single IP, Proxmox Server and Internal VM

J

jamest65

Member
Apr 29, 2021
40
6
13
60
Hi All,

I would appreciate any assistance to help me understand how to get a website to be hosted from a proxmox VM behind a single IP, NAT is working from inside out, jjst trying to get the website to display with an A record pointing to my proxmox server?

I have everything working from the inside out, i.e. RDP, ssh, Zerotier, and so on. I have set up a docker Nginx reverse proxy and WordPress (in the process of typimng up a tutorial as I feel this is lacking for new users, such as myself) container to host multiple websites. all working locally. I have set up a DC level security group to open up ports 80, 443, and applied that at DC, NODE, and VM levels, etc I have also set iptables to forward incoming

e.g.
Code: 
iptables -t nat -A PREROUTING -d MYPUBLIC IP -p tcp --dport 443 -j DNAT --to 10.10.10.102:443
iptables -t nat -A PREROUTING -d MYPUBLICIP -p tcp --dport 80 -j DNAT --to 10.10.10.102:80

DC and Node PVEFW
Code: 
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:10.10.10.102:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:10.10.10.102:443

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
PVEFW-INPUT  all  --  anywhere             anywhere


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
PVEFW-FORWARD  all  --  anywhere             anywhere


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
PVEFW-OUTPUT  all  --  anywhere             anywhere


Chain PVEFW-Drop (0 references)
target     prot opt source               destination
PVEFW-reject  tcp  --  anywhere             anywhere             tcp dpt:whois
PVEFW-DropBroadcast  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
DROP       all  --  anywhere             anywhere             ctstate INVALID
DROP       udp  --  anywhere             anywhere             multiport dports epmap,microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn
DROP       udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
DROP       tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:1900
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere             udp spt:domain
           all  --  anywhere             anywhere             /* PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ */


Chain PVEFW-DropBroadcast (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type ANYCAST
DROP       all  --  anywhere             base-address.mcast.net/4
           all  --  anywhere             anywhere             /* PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */


Chain PVEFW-FORWARD (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
PVEFW-FWBR-IN  all  --  anywhere             anywhere             PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
PVEFW-FWBR-OUT  all  --  anywhere             anywhere             PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
           all  --  anywhere             anywhere             /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */


Chain PVEFW-FWBR-IN (1 references)
target     prot opt source               destination
PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW
           all  --  anywhere             anywhere             /* PVESIG:Ijl7/xz0DD7LF91MlLCz0ybZBE0 */


Chain PVEFW-FWBR-OUT (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere             /* PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk */


Chain PVEFW-HOST-IN (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW
RETURN     igmp --  anywhere             anywhere
RETURN     tcp  --  192.168.100.63       anywhere             tcp spt:https
RETURN     tcp  --  192.168.100.63       anywhere             tcp spt:http
RETURN     udp  --  anywhere             anywhere             udp dpt:5201
RETURN     udp  --  anywhere             anywhere             udp dpt:9993
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-externalip-v4 src tcp dpt:9022
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-externalip-v4 src tcp dpt:8006
DROP       all  --  anywhere             anywhere
RETURN     tcp  --  192.168.100.63       anywhere             tcp spt:https
RETURN     tcp  --  192.168.100.63       anywhere             tcp spt:http
RETURN     udp  --  anywhere             anywhere             udp dpt:9993
RETURN     udp  --  anywhere             anywhere             udp dpt:5201
RETURN     tcp  --  anywhere             PVE-PXC-ETL002.local  match-set PVEFW-0-externalip-v4 src tcp dpt:8006
RETURN     tcp  --  anywhere             PVE-PXC-ETL002.local  match-set PVEFW-0-externalip-v4 src tcp dpt:9022
DROP       icmp --  anywhere             anywhere
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:8006
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:5900:5999
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:3128
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:ssh
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:60000:60050
RETURN     all  --  anywhere             anywhere
           all  --  anywhere             anywhere             /* PVESIG:t7WoKIm8/VFUsxKZG9ZCvSMdKOw */


Chain PVEFW-HOST-OUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
RETURN     igmp --  anywhere             anywhere
RETURN     tcp  --  anywhere             80.63.3ea9.ip4.static.sl-reverse.com/28  tcp dpt:8006
RETURN     tcp  --  anywhere             80.63.3ea9.ip4.static.sl-reverse.com/28  tcp dpt:ssh
RETURN     tcp  --  anywhere             80.63.3ea9.ip4.static.sl-reverse.com/28  tcp dpts:5900:5999
RETURN     tcp  --  anywhere             80.63.3ea9.ip4.static.sl-reverse.com/28  tcp dpt:3128
RETURN     all  --  anywhere             anywhere
           all  --  anywhere             anywhere             /* PVESIG:42FPs3oALeKd4tPDbjkRtVpu+8Y */


Chain PVEFW-INPUT (1 references)
target     prot opt source               destination
PVEFW-HOST-IN  all  --  anywhere             anywhere
           all  --  anywhere             anywhere             /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */


Chain PVEFW-OUTPUT (1 references)
target     prot opt source               destination
PVEFW-HOST-OUT  all  --  anywhere             anywhere
           all  --  anywhere             anywhere             /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */


Chain PVEFW-Reject (0 references)
target     prot opt source               destination
PVEFW-reject  tcp  --  anywhere             anywhere             tcp dpt:whois
PVEFW-DropBroadcast  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
DROP       all  --  anywhere             anywhere             ctstate INVALID
PVEFW-reject  udp  --  anywhere             anywhere             multiport dports epmap,microsoft-ds
PVEFW-reject  udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn
PVEFW-reject  udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
PVEFW-reject  tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:1900
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere             udp spt:domain
           all  --  anywhere             anywhere             /* PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo */


Chain PVEFW-SET-ACCEPT-MARK (0 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK or 0x80000000
           all  --  anywhere             anywhere             /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */


Chain PVEFW-logflags (5 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
           all  --  anywhere             anywhere             /* PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A */


Chain PVEFW-reject (6 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  base-address.mcast.net/4  anywhere
DROP       icmp --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere             reject-with icmp-host-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
           all  --  anywhere             anywhere             /* PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc */


Chain PVEFW-smurflog (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
           all  --  anywhere             anywhere             /* PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk */


Chain PVEFW-smurfs (2 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0              anywhere
PVEFW-smurflog  all  --  anywhere             anywhere            [goto]  ADDRTYPE match src-type BROADCAST
PVEFW-smurflog  all  --  base-address.mcast.net/4  anywhere            [goto]
           all  --  anywhere             anywhere             /* PVESIG:HssVe5QCBXd5mc9kC88749+7fag */


Chain PVEFW-tcpflags (0 references)
target     prot opt source               destination
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:SYN,RST/SYN,RST
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN/FIN,SYN
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
           all  --  anywhere             anywhere             /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */


VM level

Code: 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL


Chain INPUT (policy ACCEPT)
target     prot opt source               destination


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !localhost/8          ADDRTYPE match dst-type LOCAL


Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.20.0.0/16        anywhere
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:9000
MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:8000
MASQUERADE  tcp  --  172.20.0.2           172.20.0.2           tcp dpt:https
MASQUERADE  tcp  --  172.20.0.2           172.20.0.2           tcp dpt:http


Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp dpt:9000 to:172.17.0.2:9000
DNAT       tcp  --  anywhere             anywhere             tcp dpt:8000 to:172.17.0.2:8000
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:172.20.0.2:443
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:172.20.0.2:80

I run a
Code: 
dig +short myip.opendns.com @resolver1.opendns.com
. and it shows the correct public IP etc for the above. I am clearly missing something and just cannot figure it out how to open port 80 (443 I will attack later) I have the A records pointing to the proxmox server, I just can't seem to get the incoming request on port 80/443 to accept and forward to the internal VM that is hosting the website.
 
Last edited:
  • Like
Reactions: genzo
I answered my own question lol. I reset all my iptables and got rid of a mess I created. After reapplying I noticed that I had made a typo on the public IP. I will write up a tutorial in due course to help others as this is easy when understanding the architecture
 
Really looking forward to reading a tutorial. I'm not a stranger to servers, routers, firewalls and so on. But this is my first step in to VM and things are done differently.
As a new user I'm trying to get my head around the different ways things are done. It seems that this is one of the most asked topics for new users.
 
  • Like
Reactions: jamest65
Halfhidden said:
Really looking forward to reading a tutorial. I'm not a stranger to servers, routers, firewalls and so on. But this is my first step in to VM and things are done differently.
As a new user I'm trying to get my head around the different ways things are done. It seems that this is one of the most asked topics for new users.
Click to expand...
I agree it is indeed and I have just gone through a whole load of pain with proxmox, but fast getting up to speed. The bit that evades me, for now, is hosting multiple websites and I am stuck at WordPress error establishing a database. always the simple stuff that gets me, but I am collecting lots of info for a tutorial on publishing websites from a vm
 
Halfhidden said:
Have you tried to install Wordpress through Turnkey in a container?
Click to expand...
I have built WordPress with ubuntu VM's and turnkey and can get them to run locally with ip and across zerotier, I got over the database error, I am struggling to get port 80 to be connected to the VM via HAproxy out to public internet.

I have the DC to Node security group with 443 and 80 and I have in my interfaces the forwarding rules etc. I feel like I have done all the hard stuff. but this website area has me stumped....

One of the sites is through cloudflare .

I cant for the life of me figure out what's missing to expose the websites on the VMS out to 80 and 443, any ideas greatly welcomed.

I am thinking I need some sort of firewall in addition to proxmox??? not sure it's unclear. I do have a single nic with single IP and could open up another port but not sure I need to...
 
Last edited:
Last edited:
You must log in or register to reply here.
Top Bottom