How to port forward using Simple Zone With SNAT and DHCP?

[vmtinkerer]

https://pve.proxmox.com/wiki/Setup_Simple_Zone_With_SNAT_and_DHCP


I just started using proxmox, and currently using a dedicated in a datacenter that has only IP because of that I need this I need to use NAT.


I followed this tutorial, but I can not get forwading to work using the firewall gui, I also enabled nftables since that needs to be for the forward option to work correctly. For example how would I forward 10.0.0.2 port 22 to 127.0.0.1 port 2221? Is this support using the firewall gui option, or am I suppose to do this another way?

 

[shanreich]

I also enabled nftables since that needs to be for the forward option to work

forward in the nftables firewall refers to the forward chain. You cannot forward any ports / traffic with it, but only create firewall rules for forwarded traffic.

You are probably looking for DNAT, e.g.:

iptables -t nat -A PREROUTING -p tcp -d 192.0.2.0 --dport 80 -j DNAT --to-destination 198.51.100.0:8000

would forwards packets arriving at 192.0.2.0 port 80 to 198.51.100.0 port 8000

 

[vmtinkerer]

forward in the nftables firewall refers to the forward chain. You cannot forward any ports / traffic with it, but only create firewall rules for forwarded traffic.

You are probably looking for DNAT, e.g.:

iptables -t nat -A PREROUTING -p tcp -d 192.0.2.0 --dport 80 -j DNAT --to-destination 198.51.100.0:8000

would forwards packets arriving at 192.0.2.0 port 80 to 198.51.100.0 port 8000

Thanks for the help, but is there any reason why this is not working? I confirmed that net.ipv4.ip_forward is on which based on would make that work if it was not on. My vm does not firewall enabled.

iptables -t nat -A PREROUTING -p tcp -d 10.0.0.2 --dport 22 -j DNAT --to-destination 127.0.0.1:2221

.

here is the firewall rules I have on the datacenter.

 

[shanreich]

I think I misunderstood what you were trying to do, sorry!

If you simply want to reach port 2221 on your host from a VM (correct me if I am wrong), then connecting from your VM to 10.0.0.1:2221 should be sufficient. In that case you don't need to use DNAT at all.

 

[vmtinkerer]

I think I misunderstood what you were trying to do, sorry!

If you simply want to reach port 2221 on your host from a VM (correct me if I am wrong), then connecting from your VM to 10.0.0.1:2221 should be sufficient. In that case you don't need to use DNAT at all.

Maybe this would make I am trying to avoid installing tailscale on all my vm, and containers and just forward the ports directly to my main tailscale ip which is 100.78.147.101. I am unable to use subnet option due to reasons. I am confused on why this iptables is not working with the 127.0.0.1 option though.

 

[shanreich]

Tailscale includes its own rules in the NAT table, as well as in the forward chain of the filter table iirc. So that might mess with your setup in unexpected ways.

 

[devilkin]

forward in the nftables firewall refers to the forward chain. You cannot forward any ports / traffic with it, but only create firewall rules for forwarded traffic.

What would be the use of this forward chain ?

 

[tschmidt]

What would be the use of this forward chain ?

It filters forwarded (i.e. routed) traffic. Usually routers use it for some basic firewalling between subnets. Probably rare on PVE.