[SOLVED] How to do DNAT with SDN custom rule on Single host?

B

be-team

Renowned Member
Jul 11, 2013
6
0
66
On a root server with one NIC I set up Proxmox VE 8.1.4 with two SDN simple zones, so I have three bridges configured: vmbr0 connected to eno1 with public IP, dmznet with SNAT and subnet 192.168.100.0/24 for nginx reverse proxy. Third bridge is labnet 192.168.200.0/24 for the application containers. To set up direct ssh communication to the lab containers from the developers machines I added a port forwarding rule on the proxmost host like so:

Bash: 
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 37122 -j DNAT --to 192.168.200.10:22

Is there a better way to achieve this using a SDN custom rule, and if so, where should I place that - on datacenter level, host level, or container level?
 
Thanks for your quick response, spirit! Before the advent of nftables I was a big fan of shorewall. Do you (or anybody else) happen to know whether DNAT port forwarding is on the roadmap for proxmox SDN?
 
I think DNAT will be the last thing.

we need to finish dhcp first, then clean SNAT. (currently it's done in /etc/network/interfaces, it should be done in a daemon , like pve-firewall)

Then DNAT. (and for dnat , I don't known how to manage it with live migration/conntrack/...). with a single server it's pretty simple)
 
So I will try and put my supplementary iptables rules into a systemd unit. As I am not too experienced with those: Should I go for "require" or "after", and which target would be a good predecessor? Some searching pointed me to systemd-analyze. If I read its output correctly, pvedaemon.service or pvestatd.service seem like suitable candidates. On my single server, it seems acceptable to me to neglect live migration - at least for a first pragmatic solution.

P.S.: With openvz, I remember something like a <VMID>.mount script running when a container is started. Would that be a better place, or is it now done via "hookscript" for lxc containers?
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom