[SOLVED] Port forwarding problems in Proxmox (Kimsufi) with a Debian Strech (9.9) as VM

z3nth10n

New Member
Mar 26, 2019
15
0
1
26
Recently I hired a Kimsufi server to host certain websites and services.
I had constant problems to configure the networking interfaces and the port forwarding.

The system is configured using a Proxmox (5.4-11) as a host and a Debian as the VM guest. I created a virtual interface (vmbr1), which the Debian 9.9 with a static IP configuration (192.168.x.55) is connected to.

I tried to forward ports without luck. I searched lots of help topics on this forum/stackoverflow/OVH forums, and nothing:


pveversion:

Code:
pve-manager/5.4-11/6df3d8d0 (running kernel: 4.15.18-18-pve)

This is my /etc/network/interfaces configuration:

auto lo
iface lo inet loopback

iface enp4s0 inet manual

iface enp5s0 inet manual

auto vmbr0
iface vmbr0 inet static
address <public_ip>
netmask 24
gateway <public_gateway>
bridge-ports enp4s0
bridge-stp off
bridge-fd 0

auto vmbr1
iface vmbr1 inet static
address 192.168.x.xx
netmask 24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.x.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.x.0/24' -o vmbr0 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.x.55:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.x.55:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.x.55:80
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2222 -j DNAT --to 192.168.x.55:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 2222 -j DNAT --to 192.168.x.55:22


Where 192.168.x.xx is the IP of vmbr1, and 192.168.x.55 is the IP of Debian.

The thing is that when I do ifdown vmbr1; ifup vmbr1 to restart said config, it seems that everything works well:

This message is prompted:

Waiting for vmbr1 to get ready (MAXWAIT is 2 seconds).

If I ping the VM (192.168.x.55) it answers, if I ping 8.8.8.8 from the VM internet is fine, even if I download a package using apt-get install xxx

But if I try to connect to the SSH behind this machine using my public IP + 2222 (example: 1.2.3.144:2222) it doesn't work, I don't have any way to check what is failing... This worked before, but for some reason, I broke up something...

I also changed some of the parameters of the Network Device, but to make sure this wasn't the fact to make it fail, I installed another virtual machine (using Ubuntu this time). The same thing happens the Internet/ping are fine, but I can't connect to SSH.

I would like to check more things on my Proxmox setup, but I don't know where to start.

Any guidance would be very appreciated!
 
Recently I hired a Kimsufi server to host certain websites and services.
I had constant problems to configure the networking interfaces and the port forwarding.

The system is configured using a Proxmox (5.4-11) as a host and a Debian as the VM guest. I created a virtual interface (vmbr1), which the Debian 9.9 with a static IP configuration (192.168.x.55) is connected to.

I tried to forward ports without luck. I searched lots of help topics on this forum/stackoverflow/OVH forums, and nothing:


pveversion:

Code:
pve-manager/5.4-11/6df3d8d0 (running kernel: 4.15.18-18-pve)

This is my /etc/network/interfaces configuration:

auto lo
iface lo inet loopback

iface enp4s0 inet manual

iface enp5s0 inet manual

auto vmbr0
iface vmbr0 inet static
address <public_ip>
netmask 24
gateway <public_gateway>
bridge-ports enp4s0
bridge-stp off
bridge-fd 0

auto vmbr1
iface vmbr1 inet static
address 192.168.x.xx
netmask 24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.x.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.x.0/24' -o vmbr0 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.x.55:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.x.55:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.x.55:80
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2222 -j DNAT --to 192.168.x.55:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 2222 -j DNAT --to 192.168.x.55:22


Where 192.168.x.xx is the IP of vmbr1, and 192.168.x.55 is the IP of Debian.

The thing is that when I do ifdown vmbr1; ifup vmbr1 to restart said config, it seems that everything works well:

This message is prompted:

Waiting for vmbr1 to get ready (MAXWAIT is 2 seconds).

If I ping the VM (192.168.x.55) it answers, if I ping 8.8.8.8 from the VM internet is fine, even if I download a package using apt-get install xxx

But if I try to connect to the SSH behind this machine using my public IP + 2222 (example: 1.2.3.144:2222) it doesn't work, I don't have any way to check what is failing... This worked before, but for some reason, I broke up something...

I also changed some of the parameters of the Network Device, but to make sure this wasn't the fact to make it fail, I installed another virtual machine (using Ubuntu this time). The same thing happens the Internet/ping are fine, but I can't connect to SSH.

I would like to check more things on my Proxmox setup, but I don't know where to start.

Any guidance would be very appreciated!
Hi,
did you check that port 2222 is not filtered by a firewall. Try maybe with nmap nmap IP -p 2222
 
  • Like
Reactions: z3nth10n
Sorry for the late response, I think this port is used by another service:

p7CSq93.png


For example, if use port 22220 the SSH service works (the state is closed, the service is unknown).

But this is a problem, I can't use port 80 to redirect connections to a virtual machine that uses apache.

I didn't do the test, but the problem is like the (well known) ports under 1024 are protected or something.

So what can I do?

Edit: Is any of this information useful? (https://pve.proxmox.com/wiki/Firewall#_ports_used_by_proxmox_ve)
Edit2: I have disabled all firewall rules, but firewall is running (https://forum.proxmox.com/threads/pve-firewall-doesnt-have-any-effect.47393/#post-223463)

$ pve-firewall status

This command show (disabled/running). I edited again the "/etc/network/interfaces" to add more ports:

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.x.55:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.x.55:80
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 8080 -j DNAT --to 192.168.x.55:8080
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 8080 -j DNAT --to 192.168.x.55:8080


When executed "ifdown vmbr1; ifup vmbr1" I broke everything.

When I execute "pve-firewall stop" this started to work, but, when I execute "ifdown vmbr1; ifup vmbr1" again, everything stopped to work.


Edit3: I know which is the problem, when I restart the interface using "ifdown vmbr1; ifup vmbr1" I need to restart the interface in the virtual machine (I didn't know this, because I didn't expect that behavior (this didn't happen to me before)).

But I still can't use port 80 or 8080... Even opening it with iptables.

Thanks! :D:D
 
Last edited:
Sorry for the late response, I think this port is used by another service:

p7CSq93.png


For example, if use port 22220 the SSH service works (the state is closed, the service is unknown).

But this is a problem, I can't use port 80 to redirect connections to a virtual machine that uses apache.

I didn't do the test, but the problem is like the (well known) ports under 1024 are protected or something.

So what can I do?

Edit: Is any of this information useful? (https://pve.proxmox.com/wiki/Firewall#_ports_used_by_proxmox_ve)
Edit2: I have disabled all firewall rules, but firewall is running (https://forum.proxmox.com/threads/pve-firewall-doesnt-have-any-effect.47393/#post-223463)

$ pve-firewall status

This command show (disabled/running). I edited again the "/etc/network/interfaces" to add more ports:

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.x.55:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.x.55:80
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 8080 -j DNAT --to 192.168.x.55:8080
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 8080 -j DNAT --to 192.168.x.55:8080


When executed "ifdown vmbr1; ifup vmbr1" I broke everything.

When I execute "pve-firewall stop" this started to work, but, when I execute "ifdown vmbr1; ifup vmbr1" again, everything stopped to work.


Edit3: I know which is the problem, when I restart the interface using "ifdown vmbr1; ifup vmbr1" I need to restart the interface in the virtual machine (I didn't know this, because I didn't expect that behavior (this didn't happen to me before)).

But I still can't use port 80 or 8080... Even opening it with iptables.

Thanks! :D:D
From the output of nmap it does not seem that there is another service listening on port 2222. To make sure you can list the currently listening services via netstat -tulp. Further you can use tcpdump or socat on the host and in the VM to see if the packets are routed correctly and reach your VM.
 
I used tcpdump, this was the output:

On the host machine (vmbr0 interface):

Code:
root@ns324919:~# tcpdump -i vmbr0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:14:53.077080 IP 217.12.19.5.64327 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 2643323964, win 65535, options [mss 1460,sackOK,TS val 1581565574 ecr 0,wscale 0,eol], length 0
09:14:54.094004 IP 217.12.19.5.64327 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 2643323964, win 65535, options [mss 1460,sackOK,TS val 1581566592 ecr 0,wscale 0,eol], length 0
09:14:55.364256 IP 217.12.19.5.64327 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 2643323964, win 65535, options [mss 1460,sackOK,TS val 1581567862 ecr 0,wscale 0,eol], length 0
09:14:56.182807 IP 217.12.19.5.61426 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 3294239565, win 65535, options [mss 1460,sackOK,TS val 1581568681 ecr 0,wscale 0,eol], length 0
09:14:57.194560 IP 217.12.19.5.61426 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 3294239565, win 65535, options [mss 1460,sackOK,TS val 1581569693 ecr 0,wscale 0,eol], length 0
09:14:58.464686 IP 217.12.19.5.61426 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 3294239565, win 65535, options [mss 1460,sackOK,TS val 1581570963 ecr 0,wscale 0,eol], length 0
09:14:59.195785 IP ec2-35-157-32-153.eu-central-1.compute.amazonaws.com.22359 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 1844909118, win 26883, options [mss 1460,sackOK,TS val 680536816 ecr 0,nop,wscale 7], length 0
09:15:00.655115 IP 217.12.19.5.59592 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 3686134095, win 65535, options [mss 1460,sackOK,TS val 1581573153 ecr 0,wscale 0,eol], length 0
09:15:00.671025 IP ec2-35-157-32-153.eu-central-1.compute.amazonaws.com.56296 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 2395293114, win 26883, options [mss 1460,sackOK,TS val 680091733 ecr 0,nop,wscale 7], length 0
09:15:01.670623 IP ec2-35-157-32-153.eu-central-1.compute.amazonaws.com.56296 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 2395293114, win 26883, options [mss 1460,sackOK,TS val 680091983 ecr 0,nop,wscale 7], length 0
09:15:01.672906 IP 217.12.19.5.59592 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 3686134095, win 65535, options [mss 1460,sackOK,TS val 1581574171 ecr 0,wscale 0,eol], length 0
09:15:02.943040 IP 217.12.19.5.59592 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 3686134095, win 65535, options [mss 1460,sackOK,TS val 1581575441 ecr 0,wscale 0,eol], length 0
09:15:03.674486 IP ec2-35-157-32-153.eu-central-1.compute.amazonaws.com.56296 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 2395293114, win 26883, options [mss 1460,sackOK,TS val 680092484 ecr 0,nop,wscale 7], length 0
09:15:03.734737 IP 217.12.19.5.56159 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 1075425473, win 65535, options [mss 1460,sackOK,TS val 1581576233 ecr 0,wscale 0,eol], length 0
09:15:04.745806 IP 217.12.19.5.56159 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 1075425473, win 65535, options [mss 1460,sackOK,TS val 1581577244 ecr 0,wscale 0,eol], length 0
09:15:06.015893 IP 217.12.19.5.56159 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 1075425473, win 65535, options [mss 1460,sackOK,TS val 1581578514 ecr 0,wscale 0,eol], length 0
09:15:06.511962 IP ec2-54-170-91-116.eu-west-1.compute.amazonaws.com.42484 > ns324919.ip-91-121-112.eu.http: Flags [S], seq 906956374, win 29200, options [mss 1460,sackOK,TS val 260678133 ecr 0,nop,wscale 9], length 0
^C
17 packets captured
18 packets received by filter
0 packets dropped by kernel

vmbr1 interface doesn't display nothing.

On the virtual machine this is the output:

eimJ9at.png


This is the output from netstat -tupl:

Nx4jQuT.png


I don't see port 80 or 2222 in use.

I don't what to do with this output. Any guide?

Edit:

I reviewed this Stackoverflow post (https://serverfault.com/questions/343803/iptables-has-port-80-open-but-nmap-shows-it-closed), I did what the post said, I checked nmap on the virtual machine:

Code:
root@debian:~# nmap 127.0.0.1 -sS

Starting Nmap 7.40 ( https://nmap.org ) at 2019-11-18 10:59 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000080s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
631/tcp  open  ipp
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 1.66 seconds
root@debian:~# netstat -lnp | grep 80
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      808/mysqld         
tcp6       0      0 :::80                   :::*                    LISTEN      14825/apache2       
unix  2      [ ACC ]     STREAM     LISTENING     12719    808/mysqld           /var/run/mysqld/mysqld.sock
root@debian:~#

On the host machine:

Code:
root@ns324919:~# nmap -sS 127.0.0.1

Starting Nmap 7.40 ( https://nmap.org ) at 2019-11-18 11:39 UTC
Nmap scan report for localhost.localdomain (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
85/tcp   open  mit-ml-dev
111/tcp  open  rpcbind
3128/tcp open  squid-http

Nmap done: 1 IP address (1 host up) scanned in 1.66 seconds

If I scan the port 80, I didn't found anything:

Code:
root@ns324919:~# nmap 127.0.0.1 -p 80

Starting Nmap 7.40 ( https://nmap.org ) at 2019-11-18 12:48 UTC
Nmap scan report for localhost.localdomain (127.0.0.1)
Host is up (0.000050s latency).
PORT   STATE  SERVICE
80/tcp closed http

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

Executing command "netstat -lnp | grep 80" in both machines...

On the virtual machine:

Code:
root@debian:~# netstat -lnp | grep 80
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      808/mysqld         
tcp6       0      0 :::80                   :::*                    LISTEN      14825/apache2       
unix  2      [ ACC ]     STREAM     LISTENING     12719    808/mysqld           /var/run/mysqld/mysqld.sock

(Apache is running correctly)

On the virtual machine:

Code:
root@ns324919:~# netstat -lnp | grep 80
tcp        0      0 0.0.0.0:8006            0.0.0.0:*               LISTEN      1572/pveproxy worke
unix  2      [ ACC ]     STREAM     LISTENING     17217    980/qmeventd         /var/run/qmeventd.sock
unix  2      [ ACC ]     STREAM     LISTENING     2380     1/init               /run/rpcbind.sock
unix  2      [ ACC ]     STREAM     LISTENING     18056    991/watchdog-mux     /run/watchdog-mux.sock
unix  2      [ ACC ]     STREAM     LISTENING     34980709 1975/kvm             /var/run/qemu-server/100.vnc
unix  2      [ ACC ]     STREAM     LISTENING     23800    1665/master          private/bsmtp
unix  2      [ ACC ]     STREAM     LISTENING     23803    1665/master          private/scalemail-backend
unix  2      [ ACC ]     STREAM     LISTENING     23806    1665/master          private/mailman

But there is any service running port 80. So, I only need to open ports... I forwarded them with the following configuration:

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.x.55:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.x.55:80


But they are still closed, so I don't know what to do...
 
Last edited:
Try if the following works for you (don't forget to adapt to your config according to your setup):
Code:
auto lo
iface lo inet loopback

iface ens18 inet manual

auto vmbr0
iface vmbr0 inet static
        address  <your pub ip>
        netmask  <your netmask>
        gateway  <your gateway>
        bridge-ports ens18
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet static
        address  192.168.0.55
        netmask  24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.0.55:80
        post-up iptables -A FORWARD -p tcp -d 192.168.0.55 --dport 80 -j ACCEPT
        post-down iptables -D FORWARD -p tcp -d 192.168.0.55 --dport 80 -j ACCEPT
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.0.55:80
        post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
 
Just asking, I need to adapt the "bridge-ports ens18" part? I'm using ens18 interface on the virtual machine.
I'll keep with the "ens0p4" configuration, but I want to know.

Thanks!

Edit:


I added the two lines that were missing on my configuration (but this is still not working):

post-up iptables -A FORWARD -p tcp -d 192.168.0.55 --dport 80 -j ACCEPT
post-down iptables -D FORWARD -p tcp -d 192.168.0.55 --dport 80 -j ACCEPT


I think I need to forward apache2, installing apache2 on the host machine and setting those settings:

Code:
ServerName some.domain.com
ProxyRequests on
ProxyPreserveHost on
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://192.168.5.55/
ProxyPassReverse / http://192.168.5.55/

I think something more is interfering with my configuration, because port 8000 works, so, I don't understand what's happening.

Edit2:

nmap doesn't show that the port 80 is open. I think this is caused because I'm not using it on the host machine, but I'm not sure.
 
Last edited:
Just asking, I need to adapt the "bridge-ports ens18" part? I'm using ens18 interface on the virtual machine.
I'll keep with the "ens0p4" configuration, but I want to know.

Thanks!

Edit:


I added the two lines that were missing on my configuration (but this is still not working):

post-up iptables -A FORWARD -p tcp -d 192.168.0.55 --dport 80 -j ACCEPT
post-down iptables -D FORWARD -p tcp -d 192.168.0.55 --dport 80 -j ACCEPT


I think I need to forward apache2, installing apache2 on the host machine and setting those settings:

Code:
ServerName some.domain.com
ProxyRequests on
ProxyPreserveHost on
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://192.168.5.55/
ProxyPassReverse / http://192.168.5.55/

I think something more is interfering with my configuration, because port 8000 works, so, I don't understand what's happening.

Edit2:

nmap doesn't show that the port 80 is open. I think this is caused because I'm not using it on the host machine, but I'm not sure.
You will have to adapt the config to your interfaces and network addresses. If the port is listed as closed, this means no service is listening on that port and port forwarding is not working as intended.

Further you can try to check if your rules are set correctly by running iptables-save. Please post the output in code tags here.
Check if the forwarding works with socat: you can configure a port to be forwarded on the host and listen with socat on that port in the VM.
E.g.
if you forward port 80 on the host to port 8080 on the VM you can check the connection via
socat - TCP-LISTEN:8080 in the VM and socat - TCP:<public-ip>:80 on a client reaching your public ip. If the connection is established you should be able to send text.
If the forwarding works, the problem might be related to other configuration issues.
 
Wow, with "iptables-save" I just discovered something interesting:

Code:
root@ns324919:~# iptables-save
# Generated by iptables-save v1.6.0 on Tue Nov 19 10:51:46 2019
*filter
:INPUT ACCEPT [202272:49890663]
:FORWARD ACCEPT [85691:124917813]
:OUTPUT ACCEPT [204610:77267315]
-A FORWARD -d 192.168.x.55/32 -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Tue Nov 19 10:51:46 2019
# Generated by iptables-save v1.6.0 on Tue Nov 19 10:51:46 2019
*nat
:PREROUTING ACCEPT [94210:4313781]
:INPUT ACCEPT [34936:1938777]
:OUTPUT ACCEPT [1548:76978]
:POSTROUTING ACCEPT [1835:91630]
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.x.10:80
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.x.10:22
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 22220 -j DNAT --to-destination 192.168.x.55:22
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 5555 -j DNAT --to-destination 192.168.x.55:5555
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 12679 -j DNAT --to-destination 192.168.x.55:12679
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.x.55:8000
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.x.55:80
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.x.55:8080
-A POSTROUTING -s 192.168.x.0/24 -o vmbr0 -j MASQUERADE
-A POSTROUTING -s 192.168.x.0/24 -o vmbr0 -j MASQUERADE
COMMIT
# Completed on Tue Nov 19 10:51:46 2019

As you can see I'm using two forwards for the same port (80 & 2222), this is why it didn't work.

I don't know exactly which is the IP for (192.168.x.10), I think it was from and old machine.

I will try to remove those rules... I'm not sure how do it. (I'm searching I had find "iptables -D ...", but it returns "iptables: Bad rule (does a matching rule exist in that chain?).")

EDIT:

I just removed the two lines from "/etc/iptables/routes.v4", but I don't know if the changes were applied, executing "iptables-save" again, these two rules doesn't appear, but I still don't have connection (route) to 192.168.x.55...

EDIT2:

if you forward port 80 on the host to port 8080 on the VM you can check the connection via
socat - TCP-LISTEN:8080 in the VM and socat - TCP:<public-ip>:80

But this isn't logic, if port 8080 is in use by apach2, I'll can't use "socat - TCP-LISTEN:8080" on the VM. (It's already in use)
 
Last edited:
Wow, with "iptables-save" I just discovered something interesting:

Code:
root@ns324919:~# iptables-save
# Generated by iptables-save v1.6.0 on Tue Nov 19 10:51:46 2019
*filter
:INPUT ACCEPT [202272:49890663]
:FORWARD ACCEPT [85691:124917813]
:OUTPUT ACCEPT [204610:77267315]
-A FORWARD -d 192.168.x.55/32 -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Tue Nov 19 10:51:46 2019
# Generated by iptables-save v1.6.0 on Tue Nov 19 10:51:46 2019
*nat
:PREROUTING ACCEPT [94210:4313781]
:INPUT ACCEPT [34936:1938777]
:OUTPUT ACCEPT [1548:76978]
:POSTROUTING ACCEPT [1835:91630]
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.x.10:80
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.x.10:22
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 22220 -j DNAT --to-destination 192.168.x.55:22
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 5555 -j DNAT --to-destination 192.168.x.55:5555
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 12679 -j DNAT --to-destination 192.168.x.55:12679
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.x.55:8000
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.x.55:80
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.x.55:8080
-A POSTROUTING -s 192.168.x.0/24 -o vmbr0 -j MASQUERADE
-A POSTROUTING -s 192.168.x.0/24 -o vmbr0 -j MASQUERADE
COMMIT
# Completed on Tue Nov 19 10:51:46 2019

As you can see I'm using two forwards for the same port (80 & 2222), this is why it didn't work.

I don't know exactly which is the IP for (192.168.x.10), I think it was from and old machine.

I will try to remove those rules... I'm not sure how do it. (I'm searching I had find "iptables -D ...", but it returns "iptables: Bad rule (does a matching rule exist in that chain?).")

EDIT:

I just removed the two lines from "/etc/iptables/routes.v4", but I don't know if the changes were applied, executing "iptables-save" again, these two rules doesn't appear, but I still don't have connection (route) to 192.168.x.55...

EDIT2:



But this isn't logic, if port 8080 is in use by apach2, I'll can't use "socat - TCP-LISTEN:8080" on the VM. (It's already in use)
According to the output you posted apache2 is listening on port 80
Code:
tcp6       0      0 :::80                   :::*                    LISTEN      14825/apache2
;)
 
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.x.55:80 -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.x.55:8080
Okay, but then you seem to have no rule forwarding from port 80 to 8080. Just from 80 to 80 and 8080 to 8080 or am I missing your point here?
 
Sorry, I didn't edited the post a third time. But I can show you that my rules are also modified, output from "iptables-save" (related to this):

Code:
:POSTROUTING ACCEPT [170:10268]
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.x.10:80
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.x.10:22
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.x.55:80
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.x.55:8080
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 22220 -j DNAT --to-destination 192.168.x.55:22
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 5555 -j DNAT --to-destination 192.168.x.55:5555
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 12679 -j DNAT --to-destination 192.168.x.55:12679
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.x.55:8000
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.x.55:8080
-A POSTROUTING -s 192.168.x.0/24 -o vmbr0 -j MASQUERADE
-A POSTROUTING -s 192.168.x.0/24 -o vmbr0 -j MASQUERAD

See last line, it's applied.

But I need to remove the first two lines (I realized right now that when I changed redirect from 8080-8080 to 80-8080 they reappeared).

I tried executing the following commands:

iptables -D PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.x.10:80
iptables -D PREROUTING -i vmbr0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.x.10:22


(Instead of using -A...)

But the "iptables: Bad rule (does a matching rule exist in that chain?)." error appear.
 
Sorry, I didn't edited the post a third time. But I can show you that my rules are also modified, output from "iptables-save" (related to this):

Code:
:POSTROUTING ACCEPT [170:10268]
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.x.10:80
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.x.10:22
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.x.55:80
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.x.55:8080
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 22220 -j DNAT --to-destination 192.168.x.55:22
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 5555 -j DNAT --to-destination 192.168.x.55:5555
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 12679 -j DNAT --to-destination 192.168.x.55:12679
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.x.55:8000
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.x.55:8080
-A POSTROUTING -s 192.168.x.0/24 -o vmbr0 -j MASQUERADE
-A POSTROUTING -s 192.168.x.0/24 -o vmbr0 -j MASQUERAD

See last line, it's applied.

But I need to remove the first two lines (I realized right now that when I changed redirect from 8080-8080 to 80-8080 they reappeared).

I tried executing the following commands:

iptables -D PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.x.10:80
iptables -D PREROUTING -i vmbr0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.x.10:22


(Instead of using -A...)

But the "iptables: Bad rule (does a matching rule exist in that chain?)." error appear.
Okay than there is probably your problem. This rule should not be there. Try deleting it from the nat table with
iptables -t nat -D PREROUTING -i vmbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.x.10:80
Where is this rule comming from anyway? it is (was) not in your network config...
 
  • Like
Reactions: z3nth10n
Yes, the problem were there, I removed those rules and everything started to work. Thank Chris!
 
Yes, the problem were there, I removed those rules and everything started to work. Thank Chris!
:) nice to hear! Please make sure to clean up the config to avoid issues in the future.
 
  • Like
Reactions: z3nth10n

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!