how to configure firewall to do a NAT

J

Juliet

Member
Oct 24, 2023
55
0
6
hi,
i have a k8s cluseter deployed inside a proxmox host.
1722947757089.png
everytime i deploy an app inside the cluster , i make a NodePoer service for it, ex :30001, and in order to access the app outside the cluster using the public IP, i create a NAT rule for that reason like :
Code: 
post-up iptables -t nat -A PREROUTING  -i  vmbr0 -p tcp --dport 30001 -j DNAT --to 172.16.104.107:30001
post-down iptables -t nat -D PREROUTING -i  vmbr0 -p tcp --dport 30001 -j DNAT --to 172.16.104.107:30001

now, i have installed an ingress controller inside my cluster and i have deployed an nginx app for test pupose, and i can access from proxmox host :
Code: 
curl --header "HOST: nginx.example.com" http://172.16.104.107:30747
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

where 30747 is number of the nodeport for http ans 30755 for https.

but my problem is asking the user to type the port number each time they want to access our HTTP/(S) is not the best way to go. So, we will configure our firewall to do a NAT that look like this:
public IPPortLocal IPPOrt
my public ip80172.16.104.107TCP/30747
my public ip443
172.16.104.107		TCP/30755

could you help please to how i can Adjust firewall access-list accordingly. in the NAT ?

thanks
 
Juliet said:
Code: 
post-up iptables -t nat -A PREROUTING  -i  vmbr0 -p tcp --dport 30001 -j DNAT --to 172.16.104.107:30001
post-down iptables -t nat -D PREROUTING -i  vmbr0 -p tcp --dport 30001 -j DNAT --to 172.16.104.107:30001
Click to expand...

You will need to adjust the respective port after --dport to 80/443
 
shanreich said:
You will need to adjust the respective port after --dport to 80/443
Click to expand...
thanks for your time but
i have tested this :

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 172.16.104.107:30747
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 172.16.104.107:30747
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 172.16.104.107:30755
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 172.16.104.107:30755

and from the browser when i type : http://244.12.85.96 nothing happens where the 244.12.85.96 is the public IP
 
Last edited:
How do your NAT rules look like?

Code: 
iptables -t nat -L
 
shanreich said:
How do your NAT rules look like?

Code: 
iptables -t nat -L
Click to expand...
Code: 
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:172.16.104.107:30747
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:172.16.104.107:30755
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  all  --  172.16.104.0/24       anywhere

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
 
The rules look fine, can you check via tcpdump on the tap interface, whether the packets are arriving at the VM?
 
  • Like
Reactions: Juliet
shanreich said:
The rules look fine, can you check via tcpdump on the tap interface, whether the packets are arriving at the VM?
Click to expand...
but when i type :
Code: 
curl public-ip

i got this error :
curl: (7) Failed to connect to public-ip port 80 after 2086 ms: Couldn't connect to server

are you agree it should goes to the port 80 then redirect to 172.16.104.107:30747 ?
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back