Problems with NAT/MASQ

[mohnewald]

Hello,

i have a Node with one physical nic. My Config is below. I have Problems with the Firewall. If i enable the Proxmox Firewall the VM Packets seem to never reach my NAT rule.

In my external interface i just the the non-natted packet:

tcpdump -i eno1 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes
15:12:53.248154 IP 10.4.200.19 > 8.8.8.8: ICMP echo request, id 55059, seq 1, length 64
15:12:54.268038 IP 10.4.200.19 > 8.8.8.8: ICMP echo request, id 55059, seq 2, length 64


I only have the FW Ruleset on my DataCenter level active and control inbound traffic to the node.

Any idea which proxmox fw rule prevents the FORWARDs on the outbound direction?
OUTPUT Policy is ACCEPT (but this is more a FORWARD really)....



auto lo iface lo inet loopback iface lo inet6 loopback auto eno1 iface eno1 inet static address 134.46.15.249 netmask 255.255.255.224 gateway 134.46.15.225 # route 134.46.15.224/27 via 134.46.15.225 up route add -net 134.46.15.224 netmask 255.255.255.224 gw 134.46.15.225 dev eno1 auto vmbr0 iface vmbr0 inet static address 10.4.200.1 netmask 255.255.255.0 bridge_ports none bridge_stp off bridge_fd 0 ##Allow IP Forwarding post-up echo 1 > /proc/sys/net/ipv4/ip_forward ##Internet 4 all VMs - Outgoing post-up iptables -t nat -A POSTROUTING -s '10.4.200.0/24' -o eno1 -j MASQUERADE

 

[mohnewald]

Solution seems to be:
iptables -t raw -I PREROUTING 1 -i fwbr+ -j CT --zone 1

https://pve-user.pve.proxmox.narkive.com/1xw9toDr/nat-problems-with-pve-firewall