Inbound Redirect Not Working

I

Ian Barnes

New Member
Dec 20, 2014
1
0
1
Cape Town, Western Cape, South Africa
Hi,

I have configured ProxMox on a Hetzner Root Server. Its configured using their image under "Virtualisation". Once it was installed I could create a VM and its configured using NAT. This server gets an IP just fine and can connect to the internet without a problem.

What I am trying to get right now is inbound NAT to the server for remote management.
The servers IP is: x.x.x.x
The Internal range is: 10.0.2.0/24
The server thats being tested against: 10.0.2.15

Here is my /etc/network/interfaces
Code: 
root@repl ~ # cat /etc/network/interfaces
### Hetzner Online AG - installimage
# Loopback device:
auto lo
iface lo inet loopback

# device: eth0
auto  eth0
iface eth0 inet static
  address   x.x.x.x
  broadcast y.y.y.y
  netmask   255.255.255.224
  gateway   z.z.z.z
  # default route to access subnet
  up route add -net y.y.y.y netmask 255.255.255.224 gw z.z.z.z eth0

iface eth0 inet6 static
  address 2a01:4f8:210:5266::2
  netmask 64
  gateway fe80::1
root@repl ~ #

Here is the sysctl options:
Code: 
root@repl:~# sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 1
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
root@repl:~#

Here are my iptables rules:
Code: 
*nat
:PREROUTING ACCEPT [85:5108]
:POSTROUTING ACCEPT [169:12330]
:OUTPUT ACCEPT [169:12330]
-A POSTROUTING -s 10.0.2.0/24 -o eth0 -j SNAT --to-source x.x.x.x
-A PREROUTING -d x.x.x.x/32 -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.0.2.15:80
-A POSTROUTING -s 10.0.2.0/24 -o eth0 -j SNAT --to-source x.x.x.x
COMMIT
*mangle
:PREROUTING ACCEPT [115907:97187641]
:INPUT ACCEPT [115567:97164491]
:FORWARD ACCEPT [340:23150]
:OUTPUT ACCEPT [91029:36963460]
:POSTROUTING ACCEPT [91334:36984926]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19704:2689592]
:LOGGING - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type 12 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type 5 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type 9 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type 10 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type 4 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp --icmp-type 11 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s ab.ab.ab.ab/32 -m comment --comment "My Remote IP" -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j LOGGING
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -s 10.0.2.0/24 -j ACCEPT
-A FORWARD -d 10.0.2.0/24 -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables: "
-A LOGGING -j DROP
COMMIT

With all of that I cant connect from outside to any port running on the VM. A tcpdump on the VM server shows no incoming traffic at all. Here are some screenshots showing the config:
http://cl.ly/image/0j2W3A1G462p
http://cl.ly/image/3o3J322x271A

Any ideas? I dont want to change the way its run, happy to use NAT for this, just want to be able to assign a port to each IP and be able to SSH in (for example).

Thanks
Ian
 
Hello Ian,

Ian Barnes said:
I have configured ProxMox on a Hetzner Root Server. Its configured using their image under "Virtualisation". Once it was installed I could create a VM and its configured using NAT. This server gets an IP just fine and can connect to the internet without a problem.

What I am trying to get right now is inbound NAT to the server for remote management.
The servers IP is: x.x.x.x
The Internal range is: 10.0.2.0/24
The server thats being tested against: 10.0.2.15
Click to expand...

The address 10.0.2.15 and is an indicator that you use the kvm built in NAT. The Proxmox server has address x.x.x.x which is not in 10.0.2.0/24 - you cannot make a connection from it to 10.0.2.15, in other words

Code: 
-A PREROUTING -d x.x.x.x/32 -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.0.2.15:80

has no effect. Note that built in NAT in kvm does is not like an usual NAT router!

Solution:

- Create a second bridge in Proxmox without any physical port (e.g. vmbr1)

- define a subnet of your choice, e.g. 10.10.10.0/24

- assign e.g. 10.10.10.1 to vmbr1

- connect the VMs virtual NICs to vmbr1

- define addresses manually in the VMs or via DHCP using your own DCHP server in Proxmox (e.g. isc-dhcp-server)

- then port forwarding via iptables will work without any problems

To install the NAT server in Proxmox call

Code: 
apt-get install isc-dhcp-server

For NAT server configuration have a look into

Code: 
man dhcpd

Kind regards

Mr.Holmes
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back