Hi all,
Here is my current configuration which works like a charm except the fact that the host proxmox is completely isolated from the outside world without possibility to ping hosts (internet nok, internal ok).
Hetzner host with a single nic and single public IP.
Debian 11 bullseye
Proxmox 7.1-11
Nic configuration:
I have also installed tailscale on the host and the vms.
Here are the iptables rules I have set up:
When I connect to the proxmox host and I try to output the iptables rules by executong iptables -L --line-numbers
I see the 3 to 5 first entries and the the display freezes.
"CTRL+C" give me control again.
The proxmox gui is also accessible but presents wierd behavious (all the icons are diplayed with question marks, the statistics (Summary) page is broken ...).
I am able to ping the internal network 192.168.13.0/24 but no luck with the tailscale network neither internet.
All my vms are working perfectly well.
If I flush the iptables everything is working as it should.
Is there some kind of rule I am missing?
Does this have to do with the fact that I only have a single Nic?
Help would be really appreciated.
Denis
**************************************************************************
Solution hereunder
**************************************************************************
The
Here is my current configuration which works like a charm except the fact that the host proxmox is completely isolated from the outside world without possibility to ping hosts (internet nok, internal ok).
Hetzner host with a single nic and single public IP.
Debian 11 bullseye
Proxmox 7.1-11
Nic configuration:
Bash:
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
iface enp7s0 inet manual
auto vmbr0
iface vmbr0 inet static
address x.x.x.x/26
gateway x.x.x.x
bridge-ports enp7s0
bridge-stp off
bridge-fd 0
auto vmbr1
iface vmbr1 inet static
address 192.168.0.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
# HTTP
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.0.2:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.0.2:80
# HTTPS
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.0.2:443
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.0.2:443
# PLEX
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 32400 -j DNAT --to 192.168.0.2:32400
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 32400 -j DNAT --to 192.168.0.2:32400I have also installed tailscale on the host and the vms.
Here are the iptables rules I have set up:
Bash:
*nat
:PREROUTING ACCEPT [663:60114]
:INPUT ACCEPT [86:5352]
:OUTPUT ACCEPT [392:26264]
:POSTROUTING ACCEPT [414:27600]
-A PREROUTING -i enp7s0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.2:80
-A PREROUTING -i enp7s0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.2:443
-A PREROUTING -i enp7s0 -p tcp -m tcp --dport 32400 -j DNAT --to-destination 192.168.0.2:32400
-A PREROUTING -i enp7s0 -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.0.240:1194
-A POSTROUTING -s 192.168.0.0/24 -o enp7s0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [385576:2702110994]
:OUTPUT ACCEPT [0:0]
:f2b-sshd - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 100.64.0.0/10 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i vmbr1 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i vmbr1 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 41641 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32400 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -j ACCEPT
COMMIT
*raw
:PREROUTING ACCEPT [387445:2702586780]
:OUTPUT ACCEPT [1359:531119]
COMMITWhen I connect to the proxmox host and I try to output the iptables rules by executong iptables -L --line-numbers
I see the 3 to 5 first entries and the the display freezes.
"CTRL+C" give me control again.
The proxmox gui is also accessible but presents wierd behavious (all the icons are diplayed with question marks, the statistics (Summary) page is broken ...).
I am able to ping the internal network 192.168.13.0/24 but no luck with the tailscale network neither internet.
All my vms are working perfectly well.
If I flush the iptables everything is working as it should.
Is there some kind of rule I am missing?
Does this have to do with the fact that I only have a single Nic?
Help would be really appreciated.
Denis
**************************************************************************
Solution hereunder
**************************************************************************
The
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT line was missing just before the -A INPUT -j DROP lineAttachments
Last edited: