No more nat/masquerading after firewall usage

D

davidweil

New Member
Jan 15, 2020
3
1
1
47
Hello!

I'm using proxmox 6.1-5 in a debian 10 (buster). Current kernel:
Linux power 5.3.13-1-pve #1 SMP PVE 5.3.13-1 (Thu, 05 Dec 2019 07:18:14 +0100) x86_64 GNU/Linux
It is just setup, and I pretend to run mostly containers. We have only one ip (v4) address (and also ipv6 is configured).

Our intention is to run containers with a NATed network. For that we followed: https://pve.proxmox.com/wiki/Network_Configuration
section: Masquerading (NAT) with iptables.

When I boot up the server, firewall is disabled.
I run a container and I'm able to ping 8.8.8.8 (and also to access udp-tcp ports on the internet).

Then if I turn node firewall on and then off (via web interface) I can no longer access internet from inside the containers.

I've check and the list of rules present on each iptables' table are the same than previous to my interaction with the firewall.

How is it possible? any idea?

Ideally I'd like to have the firewall setup to only access ssh port but still allow masquerading and forwarding do their job to allow NAT in the containers.

Any idea is welcome,
Thanks!

ps: if required I can post my exact network configuration but is a clone from the one in the section mentioned above with our ip (v4)
 
  • Like
Reactions: mshannaq
Hi,

NAT and firewall are not compatible.
The problem is that the firewall creates its own bridge where the nat does not apply.
I would recommend a router VM/CT.
 
wolfgang said:
NAT and firewall are not compatible.
The problem is that the firewall creates its own bridge where the nat does not apply.
I would recommend a router VM/CT.
Click to expand...

Wolfgang, thank you very much for your answer!

Indeed what I needed was to make firewall and masquerading work together although my question was why it kept failing after I turned firewall off.

I'm not good with these configurations and I'm worse when having to configure this in a remote server. Is the section "routed configuration" in the mentioned link the base for the router VM/CT ? Or is there some sample network configuration for that scheme ?

Thanks,
david
 
SunBlack said:
What is is the opposite of this? So I can add a `post-down` event?
Click to expand...

Code: 
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back