[SOLVED] LAMP on CT - DNS SETUP

[pretofusia]

I have proxmox running on a root server. Server has 2 public IPs. First IP is the proxmox host. Second IP is CT wit OPENvpn running.
Now i want two create one LAMP-CT. It should be reached by public Domain. For That i created one MASQUERADE vmbr1.
So far everything is working. Now I want to get the LAMP-CT reached py public.
I am totally lost how to do that and can't find any clue on the internet. Do I need resolve DNS like BIND9? ... Anyone a hint, so that I can go on searching?

Here is my /etc/network/interfaces to show my network setup

auto lo
iface lo inet loopback

auto ens3
iface ens3 inet static
        address  PUPLICIP_1
        netmask  255.255.252.0
        gateway  GATEWAY
        pointopoint GATEWAY

auto vmbr0
iface vmbr0 inet static
        address  PUPLICIP_1
        netmask  255.255.252.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        bridge_maxwait 0
                up ip route add PUPLICIP_2/32 dev vmbr0

     
auto vmbr1
iface vmbr1 inet static
    address  10.1.7.1
    netmask  255.255.255.0
    network  10.1.7.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up   iptables -t nat -A POSTROUTING -s '10.1.7.0/24' -o ens3 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.1.7.0/24' -o ens3 -j MASQUERADE

 

[oguz]

hi,

from your network configuration it looks like you're setting up ip forwarding.

you should also add the following in your vmbr1:

post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

to forward a single port you can do something like this:

iptables -t nat -A PREROUTING -i ens3 -p tcp --dport SOME_PORT -j DNAT --to SOME_IP:SOME_PORT

so if you LAMP CT is let's say 10.1.7.10 and runs port 443, you could expose port 443 on your PVE host:

iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 443 -j DNAT --to 10.1.7.10:443

this way if you get a connection on port 443 it'll be redirected to the internal CT.

for this to all work with a domain name, you just need to point your DNS record to the public IP of your PVE host.

hope this helps!

 

[pretofusia]

***edit***
I found the problem. I was still conectet via VPN. Without it works ... thank you oguz !
***

my /etc/network/interfaces looks now like that.

[...]
auto vmbr1
iface vmbr1 inet static
        address  10.1.7.1
        netmask  255.255.255.0
        network  10.1.7.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.1.7.0/24' -o ens3 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.1.7.0/24' -o ens3 -j MASQUERADE
        post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

I did

iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 8000 -j DNAT --to 10.1.7.5:8000

iptables -t nat -L -n -v

Chain PREROUTING (policy ACCEPT 2 packets, 80 bytes)
pkts bytes target     prot opt in     out     source               destination       
    0     0 DNAT       tcp  --  ens3   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8000 to:10.1.7.5:8000

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination       

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination       

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination       
    0     0 MASQUERADE  all  --  *      ens3    10.1.7.0/24          0.0.0.0/0

Apache_testpage can by accessed if connected via OPENvpn. [10.1.7.5:8000]
Port 8000 is OPEN by Proxmox firewall.
I still can't access testpage by PUPLIC_IP1:8000 or PUBLICDOMAIN:8000. PVE host can by accessed by ssh -p XXXX xxx@PUPLICDOMAIN