NAT not working

justjosh · Apr 26, 2023

Trying to forward a port from the host IP to a VM but traffic isn't going through.
tcpdump on the VM shows the packets coming through but the reply doesn't seem to be going back to the source.
nmap shows the host port is closed while the VM port is open.

Host /etc/network/interfaces/ (vmbr0 holds the public IP):

Code:

auto vmbr0
iface vmbr0 inet dhcp
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0

auto vmbr3
iface vmbr3 inet static
        address 192.168.99.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.99.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.99.0/24' -o vmbr0 -j MASQUERADE
post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

Host iptables:

Code:

root@ba1:~# iptables -t nat -v -L --line-number
Chain PREROUTING (policy ACCEPT 772 packets, 73559 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 DNAT       tcp  --  vmbr0  any     anywhere             anywhere             tcp dpt:10122 to:192.168.99.2:22
2        0     0 DNAT       tcp  --  vmbr0  any     anywhere             anywhere             tcp dpt:10180 to:192.168.99.2:80

Chain INPUT (policy ACCEPT 644 packets, 32375 bytes)
num   pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 1829 packets, 111K bytes)
num   pkts bytes target     prot opt in     out     source               destination        

Chain POSTROUTING (policy ACCEPT 1829 packets, 111K bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 MASQUERADE  all  --  any    vmbr0   192.168.99.0/24      anywhere          
2        0     0 MASQUERADE  all  --  any    vmbr0   192.168.99.0/24      anywhere

B.Otto · Apr 26, 2023

Hello,

is that the whole output? Your iptables DNAT rule shows the interface vmbr1 but you mentioned that the public IP is on vmbr0.

Kind regards,
Benedikt

Chris · Apr 26, 2023

justjosh said:

Trying to forward a port from the host IP to a VM but traffic isn't going through.
tcpdump on the VM shows the packets coming through but the reply doesn't seem to be going back to the source.
nmap shows the host port is closed while the VM port is open.

Host /etc/network/interfaces/ (vmbr0 holds the public IP):

Code:

auto vmbr0
iface vmbr0 inet dhcp
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0

auto vmbr3
iface vmbr3 inet static
        address 192.168.99.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.99.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.99.0/24' -o vmbr0 -j MASQUERADE
post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

Host iptables:

Code:

root@ba1:~# iptables -t nat -v -L --line-number
Chain PREROUTING (policy ACCEPT 772 packets, 73559 bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 DNAT       tcp  --  vmbr0  any     anywhere             anywhere             tcp dpt:10122 to:192.168.99.2:22
2        0     0 DNAT       tcp  --  vmbr0  any     anywhere             anywhere             tcp dpt:10180 to:192.168.99.2:80

Chain INPUT (policy ACCEPT 644 packets, 32375 bytes)
num   pkts bytes target     prot opt in     out     source               destination       

Chain OUTPUT (policy ACCEPT 1829 packets, 111K bytes)
num   pkts bytes target     prot opt in     out     source               destination       

Chain POSTROUTING (policy ACCEPT 1829 packets, 111K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 MASQUERADE  all  --  any    vmbr0   192.168.99.0/24      anywhere         
2        0     0 MASQUERADE  all  --  any    vmbr0   192.168.99.0/24      anywhere

Hi,
did you also setup a rule for the forwarded traffic to be accepted? E.g.

Code:

iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 10122 -j DNAT --to 192.168.99.2:22
iptables -A FORWARD -p tcp -d 192.168.99.2 --dport 22 -j ACCEPT

justjosh · Apr 28, 2023

Chris said:
Hi,
did you also setup a rule for the forwarded traffic to be accepted? E.g.

Code:

iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 10122 -j DNAT --to 192.168.99.2:22 iptables -A FORWARD -p tcp -d 192.168.99.2 --dport 22 -j ACCEPT

Isn't this covered by this?

Code:

        post-up   iptables -t nat -A POSTROUTING -s '192.168.99.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.99.0/24' -o vmbr0 -j MASQUERADE

which translates to this:

Code:

Chain POSTROUTING (policy ACCEPT 1829 packets, 111K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 MASQUERADE  all  --  any    vmbr0   192.168.99.0/24      anywhere         
2        0     0 MASQUERADE  all  --  any    vmbr0   192.168.99.0/24      anywhere

Anyway, I'm seeing the pkts/bytes increase for both PREROUTING and POSTROUTING but the traffic doesn't seem to be reaching the final destination (tested with both SSH and HTTP).

justjosh · Apr 28, 2023

B.Otto said:
Hello,

is that the whole output? Your iptables DNAT rule shows the interface vmbr1 but you mentioned that the public IP is on vmbr0.

Kind regards,
Benedikt

It was a typo that I quickly fixed. No difference.

Search

Search

NAT not working

justjosh

Active Member

B.Otto

Active Member

Chris

Proxmox Staff Member

justjosh

Active Member

justjosh

Active Member