PROXMOX 4.4 with a single public IP, lxc container can't reach from Internet

Christopher Miller

New Member
Jan 27, 2017
9
0
1
61
Unable to connect

I have proxmox 4.4 installed with a single public IP, I installed a lxc conatiner with alpine 3.4, running lighttpd on port 80. I deactivated host and lxc container firewall, but it can not connect
Error: can't connect to see the index.html file.

or if I use ssh (after changing port 800 to 2222 on host and port on lxc container to 22
ssh -p 2222 root@my-public-IP
no route defined.

network setup:
vmbr0 IP is my public IP, Gateway=Gateway-of-my public-IP 218.111.z.65
 

Attachments

  • host-network-interfaces.txt
    824 bytes · Views: 15
host-network-interfaces.png
network-of-my-node-mod.png host-network-interfaces.png
 
Have you set the right gateway in your lxc guest? It has to be 192.168.0.254.

I'd also use -d 218.10.x.y in your prerouting command to make sure the right packages are dnatted.
 
Bridges are configured correctly because I can ping from host the lxc-container and vice versa
(ping from lxc-container host).
I need to know the correct systax for
ssh (from Internet to lyx-conatiner: 192.168.0.2, public IP 218.10.111.x)
http so use port 80 on host and port 80 in lxc-container.
The routing does not properly work because in the /etc/network/interfaces configuration file
is still not correct.
Are there any tests
rout -n or what ever ...?
Thank you.
 
Your nat is wrong, you just have to use one "correct" iptables commands:

Code:
post-up iptables -t nat -A PREROUTING -d 218.10.111.101 -p tcp --dport    80 -j DNAT --to-destination 192.168.0.2:80
post-up iptables -t nat -A PREROUTING -d 218.10.111.101 -p tcp --dport   443 -j DNAT --to-destination 192.168.0.2:443
 
Your nat is wrong, you just have to use one "correct" iptables commands:

Code:
post-up iptables -t nat -A PREROUTING -d 218.10.111.101 -p tcp --dport    80 -j DNAT --to-destination 192.168.0.2:80
post-up iptables -t nat -A PREROUTING -d 218.10.111.101 -p tcp --dport   443 -j DNAT --to-destination 192.168.0.2:443

I have still problems to connect to lighttpd in the lxc-conatiner running alpine linux 3.4, up-to-date.
There were some updates coming in.
The connection is actually reset. When I use ssh my connection ends up in the host system which seems to be for
me an indication that the forwarding does not work properly.
Do I not need to specify the bridge in thpost-up iptables line? The underlaying debain system is up-todate.
The proxmox is the orginal on from version 4.4:
Virtual Enviroment 4.4-1/eb2d6f1e
I sued also netcat:
nc -zv 218.10.111.101 800 (from my notebook), I use port 800 on the pve node now .... :
218.10.111.101 800 (mdbs-daemon) open (so ok !)
But forwarding still not working correctly.
 
Your nat is wrong, you just have to use one "correct" iptables commands:

Code:
post-up iptables -t nat -A PREROUTING -d 218.10.111.101 -p tcp --dport    80 -j DNAT --to-destination 192.168.0.2:80
post-up iptables -t nat -A PREROUTING -d 218.10.111.101 -p tcp --dport   443 -j DNAT --to-destination 192.168.0.2:443

When I
http://218.10.111.101:800/
I see the ssh - version..... from debain
and then it says "Connection reset"
with ssh I treid to connet ass follows
ssh -p 2222 root@218.10.111.101 to ssh into the lxc-container from outside (my notebook)
 
Have you removed the old iptables rules? You need to start "fresh". The rules I gave you were only for HTTP and HTTPs, so no SSH there.

Try if you have working IPv6, then you will never have any problems with IP forwarding :-D
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!