Reach VM from other VM via host's public IP

[MattMuffin]

Hello,

Here is my config:
* my proxmox host is set on *public_ip*
* my vm1 contains a gitlab up and running with source code for project1
* my vm2 contains a test version of project1

I rerouted all traffic to *public_ip* port 2222 to vm1 port 22 => I can therefore pull the code from gitlab from any machine OUTSIDE of my private network (meaning, outside of the proxmox network).

I'm trying to git pull project1 from vm2 through the public IP. Here is my command to test it:

# ssh -vvv git_mydomain_com -p 2222
OpenSSH_6.7p1 Ubuntu-5ubuntu1.3, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to git_mydomain_com [*public_ip*] port 2222.
debug1: connect to address *public_ip* port 2222: Connection refused
ssh: connect to host git_mydomain_com port 2222: Connection refused

I try the same command but using the internal IP for vm1:
# ssh -vvv *internal_192_ip* -p 22
OpenSSH_6.7p1 Ubuntu-5ubuntu1.3, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to *internal_192_ip* [*internal_192_ip*] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
[...]
internal_192_ip*'s password:

Question: how can i reach vm1 from vm2 using the git_mydomain_com:2222 approach?

 

[wbumiller]

How did you setup the port forwarding? Is it maybe limited to the external network interface so that it doesn't cover traffic coming from the VMs?

 

[MattMuffin]

Hello Wolfgang,

Thanks for your interest. Here is what I put (on the host):

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.15.20/23 -j MASQUERADE
iptables -t nat -A POSTROUTING -o vmbr0 -s 192.168.15.20/23 ! -d 192.168.15.20/23 -j SNAT --to-source public_ip

Then I rerouted all incoming traffic from port 2222 to the VM hosting gitlab:

iptables -t nat -A PREROUTING -p tcp -d public_ip --dport 2222 -i vmbr0 -j DNAT --to-destination 192.168.15.1:22

So from what I read, I re-routed all traffic through vmbr0 to my gitlab VM

 

[MattMuffin]

FYI, here is the netstat command:

# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 0 2763713 605/master
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 102 2762443 256/systemd-resolve
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 37133401 4770/nginx.conf
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 2762427 255/sshd
tcp6 0 0 :::25 :::* LISTEN 0 2763714 605/master
tcp6 0 0 :::3306 :::* LISTEN 111 33585179 2558/mysqld
tcp6 0 0 :::22 :::* LISTEN 0 2762430 255/sshd
udp 0 0 0.0.0.0:5355 0.0.0.0:* 102 2762442 256/systemd-resolve

 

[Nashwan]

Hello mate,
I am facing exactly same issue, have you sorted it? If yes, can you please help out?
thanks in advance

 

[Nashwan]

How did you setup the port forwarding? Is it maybe limited to the external network interface so that it doesn't cover traffic coming from the VMs?

can you please help me out how to get ssh work properly to the proxmox vm guest with a private IP address, I have done NATing and below is how I did portforwarding

# VM-SMTP SSH 22:192.168.0.1:22
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 10022 -j DNAT --to 192.168.0.1:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 10022 -j DNAT --to 192.168.0.1:22

looking forward to hearing from you

 

[MattMuffin]

Hello Nashwan,

I havent been able to find a clean way to do it. I only use the internal IP approach which does the job. If anybody reads this, i'm still interested in finding a solution. Thanks!