Proxmox and Service Networking

T

Trax

New Member
Jan 30, 2014
3
0
1
Hi all,

I have this configuration in my Proxmox server:

Code: 
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).


# The loopback network interface
auto lo
iface lo inet loopback
#auto eth0
#iface eth0 inet manual


# vmbr0: Bridging. Make sure to use only MAC adresses that were assigned to you.
auto vmbr0
iface vmbr0 inet static
        address xxx.59.xxx.xx9
        netmask 255.255.255.0
        network xxx.59.xxx.xxx
        broadcast xxx.59.xxx.255
        gateway xxx.59.xxx.xx4
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0


iface vmbr0 inet6 static
        address xxxx:xxxx:8:xxxx::1
        netmask 64
        post-up /sbin/ip -f inet6 route add xxxx:xxxx:8:xxxx:ff:ff:ff:ff dev vmbr0
        post-up /sbin/ip -f inet6 route add default via xxxx:xxxx:8:xxxx:ff:ff:ff:ff
        pre-down /sbin/ip -f inet6 route del default via xxxx:xxxx:8:xxxx:ff:ff:ff:ff
        pre-down /sbin/ip -f inet6 route del xxxx:xxxx:8:xxxx:ff:ff:ff:ff dev vmbr0








# for Routing
auto vmbr1
iface vmbr1 inet manual
        #post-up /etc/pve/kvm-networking.sh
       post-up  echo 1 > /proc/sys/net/ipv4/conf/vmbr0/proxy_arp
        bridge_ports dummy0
        bridge_stp off
        bridge_fd 0




#Interface interna para las VM


auto vmbr2
iface vmbr2 inet static
        address 192.168.0.254
        netmask 255.255.255.0
        bridge_ports none
        bridge_stp off
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE


        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.0.2:443
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.0.2:443


        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3389 -j DNAT --to 192.168.0.2:3389
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 3389 -j DNAT --to 192.168.0.2:3389


        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.0.2:80
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.0.2:80


        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 1222 -j DNAT --to 192.168.0.1:22
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 1222 -j DNAT --to 192.168.0.1:22


        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 1222 -j DNAT --to 192.168.0.1:22
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 1222 -j DNAT --to 192.168.0.1:22


        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 5555 -j DNAT --to 192.168.0.1:5900
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 5555 -j DNAT --to 192.168.0.1:5900


        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 5556 -j DNAT --to 192.168.0.1:5901
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 5556 -j DNAT --to 192.168.0.1:5901


        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 5557 -j DNAT --to 192.168.0.1:5902
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 5557 -j DNAT --to 192.168.0.1:5902




        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 1322 -j DNAT --to 192.168.0.4:22
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 1322 -j DNAT --to 192.168.0.4:22
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 8080 -j DNAT --to 192.168.0.4:80
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 8080 -j DNAT --to 192.168.0.4:80

Here in /etc/network/interfaces I have the iptables rules, so, everytime I have a new VM or even a new service that I need to map a new port, I have to edit /etc/network/interfaces and add several lines.

After this adding, I have to make a 'service networking stop && service networking start' to take effect.

The problem is, that after this, I have to stop and start (not restart) every single VM because they lost conectivity. I can not stop and start every VM every time I change a NAT rule.

I was thinking that could be only necesary stop and start the network in every VM but i didn´t find any command to do this.

Does anybody have any idea to solve this problem?

By the way, I don´t know if it´s relationed with this problem (maybe this script does what I want to do) but I had to comment the line '#post-up /etc/pve/kvm-networking.sh' because this script is not in my server.



Thank you for your help.

BR

Trax
 
Does anybody know if changind all nat rules from 'etc/network/interfaces' to the iptables.rules could solve the problem if i only need to restart iptables?

This could solve the problem, isn`t it?

Thank you,

BR

Trax
 
Hi,

At first I'll recommend to remove all iptables firewall rules from /etc/network/interfaces.

Please keep your configuration simple (KISS principal) And you will always stay happy. Bad idea to keep everything in one place. It affects things it should not.

For now you can configure your firewall in debian way: https://wiki.debian.org/iptables

PS: In the new Proxmox release 3.3 there will be comprehensive gui to configure firewall for both host and vm. So you might be interesting to rewrite your firewall again.
 
Thank you,

I Followed your suggestion and everything works perfectly and I don´t need to restart the networking service, just work with iptables.

Thank you again.

BR

Trax
 
You must log in or register to reply here.
Top Bottom