Nat and datacenter firewall

K

KingLlama

Member
Apr 18, 2021
6
0
6
33
I'm running into a issue with proxmox firewalls.
I turned on the firewall on the datacenter,node, and vm side of things and created a port accept on incoming to 8006. I also have a bridge vmbr0 to eno1 to a public ip.

I also have a vmbr1 ip of 192.168.10.0/24 gateway of 192.168.10.100. I use.175 for my
Vm. I'm not able to access the Internet on that vm at all even I accepted port 80,443 on each layer.

Maybe I am misunderstanding something on it. Do I need to nat the private ip or do I need to add the destination to the firewall rules?
 
Is 192.168.10.100 a router doing NAT or why do you set it as gateway? You need to somehow route between private IPs an public IP if you want to accessthe internet.
 
Last edited:
Dunuin said:
Is 192.168.10.100 a router doing NAT or why do you set it as gateway? You need to somehow route between private IPs an public IP if you want to accessthe internet.
Click to expand...
I understand. I'm using a 207.x.x.x on vmbr0 and than using vmbr1 to bridge to vmbr0 and eno1 is the physical interface. I'm running into a issue with it not hitting the 207.x.x.x gateway.
 
It would be good if you could post the contents of your /etc/network/interfaces file - in code blocks and with parts of your public ip edited out.
 
  • Like
Reactions: KingLlama
Here it is.

auto lo
iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

iface eno3 inet manual

iface eno4 inet manual

auto vmbr0
iface vmbr0 inet static
address 207.x.x.138/29
gateway 207.x.x.142
bridge-ports eno1
bridge-stp off
bridge-fd 0

auto vmbr1
iface vmbr1 inet static
address 192.168.10.100/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.10.0/24' -o eno1 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.10.0/24' -o eno1 -j MASQUERADE

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2222 -j DNAT --to 192.168.10.160:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 2222 -j DNAT --to 192.168.10.160:22
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 7777 -j DNAT --to 192.168.10.160:7777
post-down iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 7777 -j DNAT --to 192.168.10.160:7777
auto vmbr2
iface vmbr2 inet static
address 207.x.x.139/29
bridge-ports none
bridge-stp off
bridge-fd 0
 
Last edited:
first: it might be good to censor the ip address on vmbr2

Also I think you should alter the NAT rule so that it applies to the interface vmbr0 and not eno1:
Code: 
post-up   iptables -t nat -A POSTROUTING -s '192.168.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.10.0/24' -o vmbr0 -j MASQUERADE
 
  • Like
Reactions: KingLlama
B.Otto said:
first: it might be good to censor the ip address on vmbr2

Also I think you should alter the NAT rule so that it applies to the interface vmbr0 and not eno1:
Code: 
post-up   iptables -t nat -A POSTROUTING -s '192.168.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.10.0/24' -o vmbr0 -j MASQUERADE
Click to expand...
So I updated the configuration to be vmbr0 I see it trying to get dns. Maybe I am doing something wrong. I turned the firewall back on and the vm is saying there is no internet. When the firewall is off it says there is internet but isn't able to reach dns even though I have dns programmed into the network interface on the vm and the node firewall.


Also just tested nmap as well with the firewall on and off.

Firewall on
Nmap finished: 5 IP addresses (2 hosts up) scanned in 12.341 seconds
-bash-4.3$ nmap 207.x.x.138-142

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2022-11-03 10:42 PDT
Interesting ports on 207.x.x.139:
(The 1649 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
43/tcp closed whois
80/tcp closed http
443/tcp closed https
5900/tcp closed vnc
5901/tcp closed vnc-1
5902/tcp closed vnc-2
5903/tcp closed vnc-3
5977/tcp closed ncd-pref-tcp
5978/tcp closed ncd-diag-tcp
5979/tcp closed ncd-conf-tcp
5997/tcp closed ncd-pref
5998/tcp closed ncd-diag
5999/tcp closed ncd-conf

Firewall Off

-bash-4.3$ nmap 207.x.x.138-142

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2022-11-03 10:38 PDT
Interesting ports on 207.x.x.139:
(The 1660 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
3128/tcp open squid-http

Interesting ports on 207.x.x.142:
(The 1658 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
23/tcp filtered telnet
179/tcp open bgp
199/tcp open smux
830/tcp filtered unknown


Firewallnode.pngFirewall Datacenter.png
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom