Masquerading through Proxmox IP

[lrzxft]

I'm pretty new to Proxmox (I've successfully set it up before but not using masquerading). I'm trying to set the network up so that all of the traffic is routed from the Proxmox IP to one of the VMs which is running HAProxy, so that it can send that traffic onto whatever backend should handle that request.

I have the following IP Tables:

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             10.0.0.2             tcp dpt:https state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  10.0.0.2             anywhere             tcp spt:https state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             10.0.0.2             tcp dpt:https state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             10.0.0.2             tcp dpt:https
ACCEPT     tcp  --  10.0.0.2             anywhere             tcp spt:https

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     6    --  0.0.0.0/0            10.0.0.2             tcp dpt:443 state NEW,RELATED,ESTABLISHED
ACCEPT     6    --  10.0.0.2             0.0.0.0/0            tcp spt:443 state RELATED,ESTABLISHED
ACCEPT     6    --  0.0.0.0/0            10.0.0.2             tcp dpt:443 state NEW,RELATED,ESTABLISHED
ACCEPT     6    --  0.0.0.0/0            10.0.0.2             tcp dpt:443
ACCEPT     6    --  10.0.0.2             0.0.0.0/0            tcp spt:443

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

10.0.0.2 is the HAProxy server that requests should be sent to, and then the response should be sent back to the user. For some reason, it doesn't seem to be working properly, though. If I ping something like 1.1.1.1 from one of the VMs, I can get a response, but if I try to curl something like "https://google.com" it doesn't do anything and eventually it errors out saying that the network is unreachable?

Can anyone spot anything obvious that I'm doing wrong? I don't really know much about networking. I have port forwarding working, and it seems to all work fine pinging IP's but when trying to curl something it just fails. This is causing issues as I can't use apt-update or anything.

 

[lrzxft]

I've somewhat tracked the source of my problem but I'm not sure what the solution is. I deleted all the IP table rules.

Adding:

sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o enp0s31f6 -j MASQUERADE
works fine, now VMs can curl https, etc.

But when trying to specify that traffic received on 443 should go to 10.0.0.2:443:

sudo iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.2:443

This causes the issues and I can no longer curl https from any of my VMs?

 

[Duckbuster]

Looking at your MASQUERADE rule I think your haproxy rule should be:

sudo iptables -t nat -A PREROUTING -i enp0s31f6 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.2:443