Port Forwarding

L

leonidas_o

Member
Apr 17, 2022
68
5
8
Hiii guys,

new Proxmox user here. One of those port forwarding questions which has come up already a couple of times, but still, something seems to be missing.
I've installed proxmox 7.1-12 on a dedicated server (one public ip). Now I'm trying to setup ssh port forwarding to a VM. I've seen some examples but still somehow I can't get it to work. The VM is a rocky linux (selinux enabled), proxmox is literally empty, except that one VM. Datecenter firewall is off. Firewall on the Node is on (tried also off, same behaviour). My /etc/network/interfaces file looks like:

Code: 
etuto eno1
iface eno1 inet dhcp

auto eno2
iface eno2 inet manual

auto vmbr0
iface vmbr0 inet static
        address 10.2.1.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.2.1.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.2.1.0/24' -o eno1 -j MASQUERADE
        post-up   iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 2222 -j DNAT --to 10.2.1.2:22
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 2222 -j DNAT --to 10.2.1.2:22

auto vmbr1
iface vmbr1 inet static
        address 10.2.2.1/24
        ...

The VM itself has internet access, dnf upgrade/ ping ... works fine.
Now executing ssh -p 2222 MYUSER@IPADDRESS immediately throws ssh: connect to host IPADDRESS port 2222: Connection refused. I don't see where it is blocked, nothing on the proxmox server in journalctl, /var/log/kern.log. Nothing on the VM in /var/log/audit/audit.log |grep denied, journalctl. I also disabled LuLu (firewall) on my mac. A regular ssh USER@IPADDRESS so on port 22 works, I can connect to the proxmox/debian server without any issues. But as soon as I add -p 2222 It immediately refuses connection.
Am I missing something?
 
well you do have DNAT --to 10.2.1.2:22 but later
auto vmbr1 iface vmbr1 inet static address 10.2.2.1/24
 
bobmc said:
well you do have DNAT --to 10.2.1.2:22 but later
auto vmbr1 iface vmbr1 inet static address 10.2.2.1/24
Click to expand...
vmbr1 is not used at all yet. The VM is using vmbr0. Or is my thinking completely wrong how to use the bridges? I thought I can use e.g vmbr0 for some VMs and for others vmbr1. So I can split them up that way.
 
In that case try

post-up iptables -t nat -A PREROUTING -i eno1 -p tcp --dport 2222 -j DNAT --to 10.2.1.2:22
 
  • Like
Reactions: leonidas_o
bobmc said:
In that case try

post-up iptables -t nat -A PREROUTING -i eno1 -p tcp --dport 2222 -j DNAT --to 10.2.1.2:22
Click to expand...
uhhh sharp eyes @bobmc , that worked. I lost a couple of hours because of that, I really appreciate that you spent your time to help me, thank you very much.
 
  • Like
Reactions: bobmc
You must log in or register to reply here.
Top Bottom