[SOLVED] Unable to port forward

Zephyrs

New Member
May 5, 2021
13
0
1
Here is my /etc/network/interfaces file.

Code:
auto lo
iface lo inet loopback

auto eno1
iface eno1 inet static
    address (Public IP)/32
    gateway (Public IP gateway)

auto vmbr0
iface vmbr0 inet static
    address 10.10.10.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0

    post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up   iptables -t nat -A POSTROUTING -s '10.10.10.1/24' -o eno1 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.10.10.1/24' -o eno1 -j MASQUERADE
    post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
    post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

    iptables -t nat -A PREROUTING -i vmbr0 -p [tcp/udp] --dport 6000 -j DNAT --to-destination 10.10.10.100:6000

#    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 6000 -j DNAT --to 10.10.10.100:6000
#    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 6000 -j DNAT --to 10.10.10.100:6000

The container has been assigned the following IP and gateway. 10.10.10.100/24 10.10.10.1

The container can access the net fine. I can nmap to it from the host from the 10.10.10.100 address, but I cannot do it from the public address. The commented out lines are from when I was attempting to do this via an older method I've seen posted a few times. The results ae the same. I have also tried without the i vmbr0] element as per the wiki. The results are still the same.

Code:
root@:~# nmap -sT -sU 10.10.10.100 -p 6000
Starting Nmap 7.70 ( https://nmap.org ) at 2021-06-11 08:15 UTC
Nmap scan report for 10.10.10.100
Host is up (0.000049s latency).

PORT     STATE  SERVICE
6000/tcp open   X11
6000/udp closed X11
MAC Address: 36:D3:DC:A0:CB:C4 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
root@:~# nmap -sT -sU (Public- P) -p 6000
Starting Nmap 7.70 ( https://nmap.org ) at 2021-06-11 08:15 UTC
Nmap scan report for (Public IP)
Host is up (0.000055s latency).

PORT     STATE  SERVICE
6000/tcp closed X11
6000/udp closed X11

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
 

Zephyrs

New Member
May 5, 2021
13
0
1
Code:
auto lo
iface lo inet loopback
iface lo inet6 loopback

auto eno1
iface eno1 inet manual
iface eno1 inet6 manual


auto vmbr0
iface vmbr0 inet static
    address (Public IP)/32
    gateway (Public IP gateway)
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0
iface vmbr0 inet6 static
    address (Public IPv6 range)
    gateway (Public IPv6 gateway)
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0

auto vmbr1
iface vmbr1 inet static
    address 10.10.10.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0

    post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

    #sample NAT
    iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 6000 -j DNAT --to 10.10.10.100:6000

Bit of an update. The above configuration works as expected for the most part. The containers bound to the local NAT can access the outside world. However the iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 6000 -j DNAT --to 10.10.10.100:6000 command only works if manually entered via the console. Having it in the /etc/network/interfaces file appears to do nothing.

Code:
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  10.10.10.0/24        anywhere

Code:
iptables -L -t nat                                                      Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
DNAT       tcp  --  anywhere             anywhere             tcp dpt:x11 to:10.10.10.100:6000

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  10.10.10.0/24        anywhere

I'm at a loss here. I could use some other system to manually reload this stuff at system bootup, but I'd prefer to have it configured "correctly".
 
Last edited:

Zephyrs

New Member
May 5, 2021
13
0
1
Seems to be fixed by having two lines with post-up and post-down preceding them.

Not sure why that isn't mentioned anywhere, but I think I have this resolved now.

EDIT: example for others stuck on this.
Code:
    #sample NAT
    post-up   iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 6000 -j DNAT --to 10.10.10.100:6000
    post-down iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 6000 -j DNAT --to 10.10.10.100:6000
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!