Need to restart physical host each time I add a port forwarding entry in /etc/network/interfaces.

[guillaumesoucy]

Hi everyone,

Each time I add a port forwarding entry in /etc/network/interfaces, after restarting the networking service service networking restart, the port forwarding entry who are already there stop working and I need to reboot the entire physical host to get them working again and the new one as well.

What to do to avoid to be needed to restart the entire host?

Thanks,

Guillaume

 

[guillaumesoucy]

May I please have some help? I will appreciate.

Thanks!

 

[LnxBil]

I always add the forwarding entry to the network configuration file and run it manually without restarting the network.

 

[guillaumesoucy]

What do you mean by "run it"? I just need to reload it by doing this?

service networking reload

 

[LnxBil]

If you use a setup similar to this https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29_with_iptables, you just have to run the command

iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE

If you run a post-up line to the configuration, run it without the post-up text and you're golden.

 

[Guillaume Soucy]

Its doesn't work yet. This is my /etc/network/interfaces file:

auto lo
iface lo inet loopback

iface enp4s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.2.14
        netmask 255.255.0.0
        network 192.168.0.0
        broadcast 192.168.2.255
        gateway 192.168.2.0
        bridge_ports enp4s0
        bridge_stp off
        bridge_fd 0

auto vmbr2
iface vmbr2 inet static
    address 10.21.21.254
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0

    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '10.21.21.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.21.21.0/24' -o vmbr0 -j MASQUERADE
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 41000 -j DNAT --to 10.21.21.100:22
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 41000 -j DNAT --to 10.21.21.100:22
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 40000 -j DNAT --to 10.21.21.100:8000
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 40000 -j DNAT --to 10.21.21.100:8000
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 41001 -j DNAT --to 10.21.21.101:22
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 41001 -j DNAT --to 10.21.21.101:22
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 40001 -j DNAT --to 10.21.21.101:8000
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 40001 -j DNAT --to 10.21.21.101:8000

If I restart the network service

/etc/init.d/networking restart

I lost access to my VMs when trying to access them by SSH I got an error:

ssh: connect to host 192.168.2.14 port 41000: No route to host

and when going to them using console, I find them without network access, I can't ping 8.8.8.8 as example.

Also, when removing the "post-up" I got that error:

ssh: connect to host 192.168.2.14 port 41000: Connection refused

But, if I reboot the entire physical host, I regain access to the VMs until I have more entry to add in the /etc/network/interfaces file , at that time if I restart the network service I lost access again to my VMs and I need to reboot the physical host to retrieve access to them.


Thanks for you help!


Guillaume

 

[LnxBil]

Problem with this is that if one rule generates an error, the interface is not marked as up or down. If you want to test rules, just copy&paste (without post-up / post-down) in your shell. Normally I do not use post-down, because I do not down my interfaces, I clean up manually this is less error prone and you do not end up with a system you cannot login to. I also never do network restart on a non-local machine.