[SOLVED] Proxmox SSH Port Forward - Connection Refused

N

ninjaprox

New Member
Sep 9, 2021
4
2
1
27
Hello,
I have a hosted proxmox server with one public ip where i have configured a NAT rules to allow internet access to the VMs that have a separated vmbr1 bridge network, and that is working fine.

The next step that wanted to configre was to be able to SSH to a specific VM, for this reason i wanted to create a port forward rule like this :
*In the /etc/network/interfaces i have configured the following
1685609342278.png
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3033 -j DNAT --to-destination <internal_ip>:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 3033 -j DNAT --to-destination <internal_ip>:22

tried also like this

iptables -t nat -A PREROUTING -i <external_ip> -p tcp --dport 3033 -j DNAT --to-destination <internal_ip>:22

so the idea was to be able to access the VM port 22 through a port 3033 so running this command
" ssh -p 3033 <user>@<external-ip> " throws the following error
"ssh: connect to host <external_ip> port 3033: Connection refused"

also when i run "telnet <external-ip> 3033" i recive
telnet: Unable to connect to remote host: Connection refused

For example if i try to ssh to that specific VM from a different VM in that same subnet throgh the <user>@<internal_ip>, i am able to do it successfully..

So regading this problem i tried to open the port 3033 for example like this in the iptables and save the configuration by running " iptables-save " , also tried to add my public ip, but nothing worked
1 ACCEPT tcp -- anywhere anywhere tcp dpt:3033

1685608541701.png

Also tried to create a Firewall rule in the Datacentar/Node where i added, but nothing changed

1685607668376.png

conclusion: All the ports that are opened by defauly are working fine, but any aditionall one that i want to open, it doesnt work. Is there some other place that i need to check/run some configuration to open the port or do i need to contact the hosting company?

Thank you for the help in advance.
 
ninjaprox said:
Hello,
I have a hosted proxmox server with one public ip where i have configured a NAT rules to allow internet access to the VMs that have a separated vmbr1 bridge network, and that is working fine.

The next step that wanted to configre was to be able to SSH to a specific VM, for this reason i wanted to create a port forward rule like this :
*In the /etc/network/interfaces i have configured the following
View attachment 51057
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3033 -j DNAT --to-destination <internal_ip>:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 3033 -j DNAT --to-destination <internal_ip>:22

tried also like this

iptables -t nat -A PREROUTING -i <external_ip> -p tcp --dport 3033 -j DNAT --to-destination <internal_ip>:22

so the idea was to be able to access the VM port 22 through a port 3033 so running this command
" ssh -p 3033 <user>@<external-ip> " throws the following error
"ssh: connect to host <external_ip> port 3033: Connection refused"

also when i run "telnet <external-ip> 3033" i recive
telnet: Unable to connect to remote host: Connection refused

For example if i try to ssh to that specific VM from a different VM in that same subnet throgh the <user>@<internal_ip>, i am able to do it successfully..

So regading this problem i tried to open the port 3033 for example like this in the iptables and save the configuration by running " iptables-save " , also tried to add my public ip, but nothing worked
1 ACCEPT tcp -- anywhere anywhere tcp dpt:3033

View attachment 51056

Also tried to create a Firewall rule in the Datacentar/Node where i added, but nothing changed

View attachment 51055

conclusion: All the ports that are opened by defauly are working fine, but any aditionall one that i want to open, it doesnt work. Is there some other place that i need to check/run some configuration to open the port or do i need to contact the hosting company?

Thank you for the help in advance.
Click to expand...
First: check via
Code: 
iptables-save
the currently active rules. If everything is ok - second:
run the `ssh` or `telnet`command (as you already mentioned) and check via
Code: 
tcpdump -eni vmbr0 port 3303
whether the packets arrive properly.
If yes: check whether ip_forwarding is set properly and if packets are forwarded according to your rules (using tcpdump for vmbr1)
if no: proably your provider blocks the port - contact him in order to get the problem solved.
 
Richard said:
First: check via
Code: 
iptables-save
the currently active rules. If everything is ok - second:
run the `ssh` or `telnet`command (as you already mentioned) and check via
Code: 
tcpdump -eni vmbr0 port 3303
whether the packets arrive properly.
If yes: check whether ip_forwarding is set properly and if packets are forwarded according to your rules (using tcpdump for vmbr1)
if no: proably your provider blocks the port - contact him in order to get the problem solved.
Click to expand...
1. So iptables-save gives the following
-A PREROUTING -i <external_ip> -p tcp -m tcp --dport 3033 -j DNAT --to-destination <internal_ip>:22
-A INPUT -p tcp -m tcp --dport 3033 -j ACCEPT

2. Running tcpdump -eni vmbr0 port 3033 and trying ssh/telnet i recive the following

listening on vmbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes <my_ip>.3394 > <external_ip>.3033: Flags , seq 2690335803, win 64240, options [mss 1460,sackOK,TS val 2498087445 ecr 0,nop,wscale 7], length 011:16:36.057333 3c:ec:ef:f3:2d:20 > 00:00:0c:9f:f0:32, ethertype IPv4 (0x0800), length 54: <external_ip>.3033 > <my_ip>.3394: Flags [R.], seq 0, ack 2690335804, win 0, length 0



3. Spoke with the provider, they said its not from our side we have everything open, its on your side..



Every Firewall is set to active, with proper ACCEPT Rules for the GUI, SSH and this specific port on the Datacentar, also on Node level and VM level the ACCEPT rule for 3033 is added , but still reciving the connection refused error.

1685963987629.png
 
Last edited:
ninjaprox said:
1. So iptables-save gives the following
-A PREROUTING -i <external_ip> -p tcp -m tcp --dport 3033 -j DNAT --to-destination <internal_ip>:22
-A INPUT -p tcp -m tcp --dport 3033 -j ACCEPT

2. Running tcpdump -eni vmbr0 port 3033 and trying ssh/telnet i recive the following

listening on vmbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes <my_ip>.3394 > <external_ip>.3033: Flags , seq 2690335803, win 64240, options [mss 1460,sackOK,TS val 2498087445 ecr 0,nop,wscale 7], length 011:16:36.057333 3c:ec:ef:f3:2d:20 > 00:00:0c:9f:f0:32, ethertype IPv4 (0x0800), length 54: <external_ip>.3033 > <my_ip>.3394: Flags [R.], seq 0, ack 2690335804, win 0, length 0



3. Spoke with the provider, they said its not from our side we have everything open, its on your side..



Every Firewall is set to active, with proper ACCEPT Rules for the GUI, SSH and this specific port on the Datacentar, also on Node level and VM level the ACCEPT rule for 3033 is added , but still reciving the connection refused error.

View attachment 51194
Click to expand...
So we have the situation I label before with "if yes:" - next step would be to verify if ip_forwarding (/proc/sys/net/ipv4/ip_forward) is properly set to 1.
If so you should see the packet sent to <internal_ip> destination port 22 at the respective bridge port (canbe also checked by tcpdump).
 
Richard said:
So we have the situation I label before with "if yes:" - next step would be to verify if ip_forwarding (/proc/sys/net/ipv4/ip_forward) is properly set to 1.
If so you should see the packet sent to <internal_ip> destination port 22 at the respective bridge port (canbe also checked by tcpdump).
Click to expand...
The ip_forward file is set to 1
1686034670225.png

The output of the packets sent to the internal ip is this ( If i access the VM from remote with ssh user@external-ip there is no traffic arriving at Port 20 on the internal VM...but if i SSH it from another VM inside the subnet the traffic is shown)

1686035582948.png

Maybe the problem is in the bridge setup ?, but the VMs throgh NAT rules have internet access, here is the connection...i am trying to Access the Proxmox Host with port 3033 to send traffic to VM with port 22 on a vmbr1 bridge
1686035167621.png

Also to mention, the firewall works as when its enabled only the SSH and GUI port are working, but adding the port 3033 to port forward it doesnt work, its the same with a different example for example port 4444 to http (80 ) on a specific VM.
 
At the end it was something with the reload of the network, after adding the firewall rules to the Node and the /etc/network/interfaces make sure to go to the network and "Apply Configuration" afterwards it was working fine.
 
  • Like
Reactions: proxnoober and _gabriel
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back