Proxmox VE 8 with Firewall in Routed Configuration. Netfilter POSTROUTING SNAT not working

Jul 3, 2023
2
0
1
Hi,
since switching to Proxmox VE 8 Postrouting SNAT (Unfortunately I must use NAT) in combination with the Proxmox Firewall is not working anymore even with conntrack zones enabled.
In Proxmox VE 7 it worked after adding


Code:
post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1



to the /etc/network/interfaces.


This is how my /etc/network/interfaces looks like
Code:
auto eno1 
iface eno1 inet static 
        address <Main public IP>/26 
        gateway <Gateway IP> 
 
 
 
 
 
 
auto vmbr0 
iface vmbr0 inet static 
        address <Main public IP>/32 
        bridge-ports none 
        bridge-stp off 
        bridge-fd 0 
        #fix for SNAT and VE Firewall 
        post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1 
 
 
        #SNAT for Backup 
        post-up iptables -t nat -A POSTROUTING -s <internel IP Backup>/32 -o eno1 -j SNAT --to-source <Main public IP> 
        post-down iptabels -t nat -D  POSTROUTING -s <internel IP Backup>/32 -o eno1 -j SNAT --to-source <Main public IP>


Any feedback is much appreciated.

Best regards
 
This isn't working in my case on 8.2.7 with kernel version 6.8.12-1.
I've just come across this thread after trying to understand what's happening. It's clear that the host simply ignores the SNAT rule when the VM firewall (interface + VM level) and forwards the packet without translation the source IP address, I can clearly see the difference in tcpdump.

Any ideas why this is happening or how it can be solved?
 
I realised that this rule:
-A PREROUTING -i fwbr+ -j CT --zone 1
was missing from the raw chain. After adding it, it worked. The packets need a separate conntrack zone in order for SNAT to work, otherwise they're considered "known" (so not new), and will not travel through the nat (POSTROUTING) table anymore.

Later edit: I've just realised this isn't particularly helpful, given that you're mentioning this from the very beginning :)
 
Last edited:
I face the same problem !

By default there is rules in iptables on iptables -L FORWARD -v -n --line-numbers

You should probably see that package a DROP like this :
Code:
15     513 42597 LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "DROP UNMATCHED PASS-unknown:"


And to fix just do (adapt to you configuration) :
Code:
iptables -I FORWARD 1 -i vmbr9 -o vmbr0 -s 10.10.10.0/24 -j ACCEPT
iptables -I FORWARD 2 -i vmbr0 -o vmbr9 -d 10.10.10.0/24 -j ACCEPT
 
I don't think that's good advice. The firewall should take care of the FORWARD rules, and as a permanent solution I don't think you should do that. It would be a good test just for debugging purposes to see if it works. Otherwise you're interefering with the logic of the firewall. And if the firewall doesn't work as it's supposed to (of which I wouldn't be surprised), then that should be highlighted as such and brought to the attention of the developers.

If you look at the second rule in the PVEFW-FORWARD chain, which is referenced in the FORWARD chain, you'll see:
Code:
iptables -vnL PVEFW-FORWARD --line
Chain PVEFW-FORWARD (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1    13664  710K DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
2    1509M 1488G ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

The second rule takes care of the conntrack, so there's no need to interfere with that by accepting and outbound and inbound traffic regardless of the conntrack.
 
Like said in my post you need to adapt.

it's depend of your default FORWARD chain :

iptables -L FORWARD -v -n --line-numbers
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x11 ctstate INVALID,NEW
2 0 0 DROP 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x14/0x14 ctstate INVALID,NEW
3 0 0 DROP 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x10/0x10 ctstate INVALID,NEW
4 0 0 DROP 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 ctstate INVALID,NEW
5 0 0 DROP 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 ctstate INVALID,NEW
6 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "DROP INVALID FORWARD:"
7 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
8 0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
9 0 0 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED tcp flags:0x3F/0x14
10 162 12445 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "DROP UNMATCHED PASS-unknown:"
 
The eight rule in the snippet that you've just pasted contradicts what you say in post #8. So, no, this isn't about adapting anything. Your advice means you're interfering with the logic of the firewall by bypassing the first rules (related to all sorts of invalid packets, 1 to 7 in your case). If the traffic is somehow affected by those rules then you should try to understand what's going on instead of simply ignoring this logic.
 
What do you mean, it do not interfere, like said, you need to adapt the rules, so put them in position 10 in the second example.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!