[SOLVED] Linux Bridge on a public address

[DANILO MONTAGNA]

For your information, here is my final configuration with an example of port forwarding to one of my VMs. I hope everything will be fine. Thank you again for your help

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

# interface iface - public address interfae bridge
auto vmbr0
iface vmbr0 inet static
address 185.246.xx.xxx
netmask 255.255.255.0
gateway 185.246.xx.x
broadcast 185.246.xx.xxx
network 185.246.xx.x
bridge_ports eth0
bridge_stp off
bridge_fd 0

# internal iface - used to bridge VMs with invalid address with NAT
auto vmbr2
iface vmbr2 inet static
address 10.0.0.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up iptables -A POSTROUTING -t nat -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-up iptables -A POSTROUTING -t mangle -p udp --dport bootpc -j CHECKSUM --checksum-fill
post-up iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
post-up iptables -t nat -A PREROUTING -p tcp --dport 23 -i vmbr0 -d 185.246.xx.xxx -j DNAT --to 10.0.0.11:22
post-up iptables -A FORWARD -p tcp --dport 23 -i vmbr0 -d 10.0.0.11 -j ACCEPT
post-down iptables -t filter -F
post-down iptables -t nat -F
post-down iptables -t mangle -F

Everything is fine*, my only advice is to not publish port 23 for outside, this port is frequently used for a lot kind of attacks, like DoS, portScan, etc... modify it for anything like 2222.

* Also, flushing the entire filter table of iptables on interface shutdown can lead to other side effects!! a lot of rules are created automatically by proxmox on filter table.

 

[MarOwN]

Like this ?

post-up iptables -A POSTROUTING -t nat -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-up iptables -A POSTROUTING -t mangle -p udp --dport bootpc -j CHECKSUM --checksum-fill
post-down iptables -D POSTROUTING -t nat -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -D POSTROUTING -t mangle -p udp --dport bootpc -j CHECKSUM --checksum-fill
post-up iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
post-down iptables -D FORWARD -s 10.0.0.0/24 -j ACCEPT
post-up iptables -t nat -A PREROUTING -p tcp --dport 2xxx -i vmbr0 -d 185.246.87.214 -j DNAT --to 10.0.0.11:22
post-up iptables -A FORWARD -p tcp --dport 2xxx -i vmbr0 -d 10.0.0.11 -j ACCEPT
post-down iptables -D FORWARD -p tcp --dport 23 -i vmbr0 -d 10.0.0.11 -j ACCEPT

 

[DANILO MONTAGNA]

Like this ?

Not Really!!

You have to use the REAL port (22) on FORWARD chain, not the prerouting port (2xxx).

Your internal server does not listen on 2xxx, that's why you need to use the REAL port on FORWARD chain..

 

[MarOwN]

Okay, it's edited! However, are the post-down rules correctly made?

 

[DANILO MONTAGNA]

Okay, it's edited! However, are the post-down rules correctly made?

Yep!! just be in mind that for each -A rule you must have a -D rule to maintain the filter chain always clean.. (Append/Delete)