Masquerading (NAT) with iptables and multiple public IPs

A

Al3c5

New Member
Aug 16, 2021
4
0
1
42
Hi guys,

I have a server with 1 physical interface and 2 IPs. I'd like to use 1 bridge+NAT per public IP.

I use the following /etc/network/interface

Code: 
# The primary network interface
auto eno1
iface eno1 inet static
        address 193.161.118.14/24
        gateway 193.161.118.1


# 2nd interface
auto eno1:0
iface eno1:0 inet static
        address 193.161.118.25/24
#        gateway 193.161.118.1




auto vmbr0
iface vmbr0 inet static
        address 10.10.10.99/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

        post-up  echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up  iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE

auto vmbr1
iface vmbr1 inet static
        address 10.10.11.99/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

        post-up  echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up  iptables -t nat -A POSTROUTING -s '10.10.11.0/24' -o eno1:0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.11.0/24' -o eno1:0 -j MASQUERADE

Also here is my /etc/ufw/before.rules config

Code: 
#NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to public network interface
-F POSTROUTING
-A POSTROUTING -s 10.10.10.0/24 -o eno1  -j MASQUERADE
-A POSTROUTING -s 10.10.11.0/24 -o eno1:0  -j MASQUERADE

#setup VMs port forwarding
:PREROUTING ACCEPT [0:0]
-F PREROUTING

Subnet 10.10.10.0/24 works while subnet 10.10.11.0/24 can't reach internet (but can ping any VM in 10.10.10.0/24 and 10.10.11.0/24).

I tried to add the gateway to alias eno1:0 => the exact same result.

How can I solve this problem?
 
I made it work with 1 bridge:

Code: 
auto vmbr0
iface vmbr0 inet static
        address 10.10.10.99/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

        post-up  echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up  iptables -t nat -A POSTROUTING -s '10.10.10.0/29' -o eno1 -j  SNAT --to-source 111.111.198.14
        post-up  iptables -t nat -A POSTROUTING -s '10.10.10.8/29' -o eno1 -j  SNAT --to-source 111.111.198.24
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/29' -o eno1 -j  SNAT --to-source 111.111.198.14
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.8/29' -o eno1 -j  SNAT --to-source 111.111.198.24

and replacing MASQUERADE by SNAT (not sure it works without)

Code: 
-F POSTROUTING

-A POSTROUTING -s 10.10.10.0/29 -o eno1  -j SNAT --to-source 111.111.198.14
-A POSTROUTING -s 10.10.10.8/29 -o eno1  -j SNAT --to-source 111.111.198.24

-F PREROUTING
-A PREROUTING -i eno1 -d 111.111.198.14 -p tcp --dport 11080 -j DNAT --to-destination 10.10.10.1:80
-A PREROUTING -i eno1 -d 111.111.198.24 -p tcp --dport 11080 -j DNAT --to-destination 10.10.10.8:80
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back