ssh behind SDN vlan poossible?

[vesuvienne]

hi team
with Linux VLAN i can ssh to my VM with some port forwarding:
/etc/network/interfaces:

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3248 -j DNAT --to 192.168.22.2:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 3248 -j DNAT --to 192.168.22.2:22

but i didn't find a solution with SDN VLAN, is it possible?

 

[juasiepo]

hi @vesuvienne

Did you manage to solve this?
I am in the same situation

Thanks for your time.

 

[shanreich]

You need to set an IP to the subnet of the VLAN and then add the DNAT rule:

iface <vnet_name> inet static
        address <ip_address>/<netmask>
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3248 -j DNAT --to <vm_ip>:22
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 3248 -j DNAT --to <vm_ip>:22

I'm pretty sure it should also work if you just add a route to the VLAN interface on the host if you don't want the host to have an IP in the VLAN, but I'd have to try.

 

[juasiepo]

Thanks for your time @shanreich

I am using a zone simple not a VLAN but I think that it should be the same.

My PVE has the IP set to 172.21.95.80

my /etc/network/interfaces.d/sdn looks like this:
auto int0
iface int0
address 10.0.0.1/24
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j SNAT --to-source 172.21.95.80
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j SNAT --to-source 172.21.95.80
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
bridge_ports none
bridge_stp off
bridge_fd 0
ip-forward on

The NAT works perfectly but the port forwarding to the internal IP 10.0.0.2 doesn't

From the PVE 172.21.95.80 I can ssh to the internal VM 10.0.0.2:22

I have tried your approach manually without luck
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 8022 -j DNAT --to 10.0.0.2:22

This should be enough to allow a ssh -p 8022 user@172.21.95.80 be forwarded to 10.0.0.2:22
I cannot see anything in the journalctl -f logs

I have tried with all the FW disabled (just in case)

 

[shanreich]

What is the output of

iptables -t nat -L

 

[juasiepo]

iptables -L -t nat -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8022 to:10.0.0.2:22

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       0    --  10.0.0.0/24          0.0.0.0/0            to:172.21.95.80

 

[juasiepo]

Thanks for your time @shanreich
It is necessary to create a SDN zone VLAN instead the simple I am using?
are you using VLAN in your systems?

 

[shanreich]

Does SSH work from your host to 10.0.0.2:22 ?

If you don't use VLAN, then it is not necessary to create a VLAN zone.

 

[juasiepo]

yes, it works perfectly

root@pve1:~# ssh -p 22 debian@10.0.0.2
Linux XXXXXX 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct 23 10:42:24 2024 from 10.0.0.1

My PVE as a NIC on 10.0.0.X network

14: int0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether b6:b8:2a:14:42:a5 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 scope global int0
valid_lft forever preferred_lft forever
inet6 fe80::a4e3:fdff:fe3a:fb85/64 scope link
valid_lft forever preferred_lft forever

 

[shanreich]

Weird, the exact same setup with a simple Zone works for me.

What's the output of ssh -v -p 8022 user@172.21.95.80 when connecting from the outside?
What does tcpdump show on the tapinterface of the VM? tcpdump -envi <tap_if> tcp

 

[juasiepo]

Dear @shanreich,

The bug was located between the keyboard and the seat I was testing the forwarding rule from the same machine and not from a different one.
It works perfectly as expected.

For future reference: Please test the port forwarding rules from a different server and not from the one doing the forwarding

Thanks for your time