Unable to SSH to the VM from my local Network or from Internet

S

sankarthota

New Member
Jul 16, 2024
15
1
3
Hello,

your Help on this will saves my life,

I have configured the Proxmox and configured the VM inside the Proxmox, everything is working fine as expected..

I am able to ssh to the Proxmox Host and from the Proxmox host i am ablt to connect to VM,

But I am not able to connect to my vm from my local network or from internet
 
How does your network configuration look like? (cat /etc/network/interfaces)
How does your VM configuration look like? (qm config <vmid>)
How is the VM network configuration?

From which IP are you trying to connect to the VM?
 
Hi

shanreich

Find the below details please,
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp5s0
iface enp5s0 inet static
address 65.108.*.*/26
gateway 65.108.*.*
up route add -net 65.108.*.* netmask 255.255.255.192 gw 65.108.*.* dev enp5s0
# route 65.108.*.*/26 via 65.108.*.*

iface enp5s0 inet6 static
address 2a01:4f9:1a:a215::2/64
gateway fe80::1

auto vmbr1
iface vmbr1 inet static
address 10.1.1.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.1.1.0/24' -o enp5s0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.1.1.0/24' -o enp5s0 -j MASQUERADE


auto enp5s0.4000
iface enp5s0.4000 inet manual
mtu 1400

auto vmbr0
iface vmbr0 inet static
mtu 1400
address 10.100.1.1/24
bridge-ports enp5s0.4000
bridge-stp off
bridge-fd 0
--------------------------------------------------------------------------

agent: 1
balloon: 0
boot: order=scsi0
cores: 4
cpu: x86-64-v2-AES
ide2: local:iso/ubuntu-22.04.3-desktop-amd64.iso,media=cdrom,size=4919592K
memory: 46080
meta: creation-qemu=8.1.2,ctime=1704902175
net0: virtio=BC:24:11:2C:4F:A3,bridge=vmbr1,firewall=1
numa: 0
ostype: l26
scsi0: local:100/vm-100-disk-0.qcow2,iothread=1,size=1000G
scsihw: virtio-scsi-single
smbios1: uuid=744f26b6-eb70-4628-a270-632a53e6125e
sockets: 4
tags: desktop;docker;ubuntu
vga: std
vmgenid: 6c6fa3a0-9f04-456f-876d-f94760be35d0
 
The VM only has a local IP, 10.1.1.x, on vmbr1 I assume? You only have setup SNAT, which means that you should be able to reach the internet from the VM but no one can reach it from outside. You either need to assign it a public IP (if you have any) or utilize DNAT in order to be able to reach the VM from the outside.
 
you are right!!..

I have only one Public IP,

But I want to access my VM from outside as well.

can you please share any suggestions how to confirue the DNAT in my VM?

Thanks
 
You will need to configure a DNAT rule via iptables. Depending on the kind of traffic you want to forward (TCP / UDP) you need to adjust the protocol below.

Code: 
iptables -t nat -A PREROUTING -i enp5s0 -p tcp --dport <port> -j DNAT --to 10.1.1.X:<port>
 
How do your NAT rules look like?
Code: 
iptables -t nat -L

How are you trying to reach your VM? SSH? HTTP/S?
What's the IP of the VM?
 
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:2222 to:10.1.5.2:2222
DNAT tcp -- anywhere anywhere tcp dpt:2222 to:10.1.5.2:2222
DNAT tcp -- anywhere anywhere tcp dpt:2222 to:10.1.5.2:2222
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
DNAT tcp -- anywhere anywhere tcp dpt:2222 to:10.1.1.2:22
DNAT tcp -- anywhere anywhere tcp dpt:2222 to:10.1.1.2:22
DNAT udp -- anywhere anywhere udp dpt:2222 to:10.1.1.2:22

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE all -- 172.19.0.0/16 anywhere
MASQUERADE all -- 172.18.0.0/16 anywhere
MASQUERADE all -- 10.1.1.0/24 anywhere
MASQUERADE tcp -- anywhere 10.1.5.2 tcp dpt:2222
MASQUERADE tcp -- anywhere 10.1.5.2 tcp dpt:2222
MASQUERADE tcp -- anywhere 10.1.5.2 tcp dpt:2222
MASQUERADE all -- 10.1.1.0/24 anywhere
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:http
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:81
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:300
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:301
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:302
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:303
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:304
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:305
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:306
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:307
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:308
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:309
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:310
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:https
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:2200
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:2201
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:2202
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:2203
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:2204
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:2205
MASQUERADE tcp -- 172.19.0.2 172.19.0.2 tcp dpt:http

Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp dpt:http to:172.18.0.3:80
DNAT tcp -- anywhere anywhere tcp dpt:81 to:172.18.0.3:81
DNAT tcp -- anywhere anywhere tcp dpt:300 to:172.18.0.3:300
DNAT tcp -- anywhere anywhere tcp dpt:301 to:172.18.0.3:301
DNAT tcp -- anywhere anywhere tcp dpt:302 to:172.18.0.3:302
DNAT tcp -- anywhere anywhere tcp dpt:303 to:172.18.0.3:303
DNAT tcp -- anywhere anywhere tcp dpt:304 to:172.18.0.3:304
DNAT tcp -- anywhere anywhere tcp dpt:305 to:172.18.0.3:305
DNAT tcp -- anywhere anywhere tcp dpt:306 to:172.18.0.3:306
DNAT tcp -- anywhere anywhere tcp dpt:307 to:172.18.0.3:307
DNAT tcp -- anywhere anywhere tcp dpt:308 to:172.18.0.3:308
DNAT tcp -- anywhere anywhere tcp dpt:309 to:172.18.0.3:309
DNAT tcp -- anywhere anywhere tcp dpt:310 to:172.18.0.3:310
DNAT tcp -- anywhere anywhere tcp dpt:https to:172.18.0.3:443
DNAT tcp -- anywhere anywhere tcp dpt:2200 to:172.18.0.3:2200
DNAT tcp -- anywhere anywhere tcp dpt:2201 to:172.18.0.3:2201
DNAT tcp -- anywhere anywhere tcp dpt:2202 to:172.18.0.3:2202
DNAT tcp -- anywhere anywhere tcp dpt:2203 to:172.18.0.3:2203
DNAT tcp -- anywhere anywhere tcp dpt:2204 to:172.18.0.3:2204
DNAT tcp -- anywhere anywhere tcp dpt:2205 to:172.18.0.3:2205
DNAT tcp -- anywhere anywhere tcp dpt:18000 to:172.19.0.2:80

I am trying to connect with ssh and my external port is 2232 that should map with actual port 22 inside the VM
 
sankarthota said:
I am trying to connect with ssh and my external port is 2232 that should map with actual port 22 inside the VM
Click to expand...
Do you mean 2222? Or do you mean 2232?

You have DNAT rules for 10.1.5.2 that occur before the DNAT rule for 10.1.1.2 - so the DNAT rule for 10.1.1.2 never triggers. Everything gets forwarded to 10.1.5.2 instead. You need to remove the rules for 10.1.5.2. Generally, it looks like you have many duplicate rules due to creating them several times, it might make sense to clean them up.

sankarthota said:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:2222 to:10.1.5.2:2222
DNAT tcp -- anywhere anywhere tcp dpt:2222 to:10.1.5.2:2222
DNAT tcp -- anywhere anywhere tcp dpt:2222 to:10.1.5.2:2222
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
DNAT tcp -- anywhere anywhere tcp dpt:2222 to:10.1.1.2:22
DNAT tcp -- anywhere anywhere tcp dpt:2222 to:10.1.1.2:22
DNAT udp -- anywhere anywhere udp dpt:2222 to:10.1.1.2:22
Click to expand...



It also looks like you have Docker installed on the host, which we strongly discourage
 
Got it... Let me clear the rules and update new rules..

It is helpful if you share me how to remove those rules...

Thanks
 
You can list the ids of the rules like so:
Code: 
iptables -t nat -L --line-numbers

Then delete the rule with the id:
Code: 
iptables -t nat -D PREROUTING <id>
 
HI Thank you,

Please find the updated rules,

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
DNAT tcp -- anywhere anywhere tcp dpt:2232 to:10.1.1.2:22
DNAT udp -- anywhere anywhere udp dpt:2232 to:10.1.1.2:22

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE all -- 172.19.0.0/16 anywhere
MASQUERADE all -- 172.18.0.0/16 anywhere
MASQUERADE all -- 10.1.1.0/24 anywhere
MASQUERADE tcp -- anywhere 10.1.5.2 tcp dpt:2222
MASQUERADE tcp -- anywhere 10.1.5.2 tcp dpt:2222
MASQUERADE tcp -- anywhere 10.1.5.2 tcp dpt:2222
MASQUERADE all -- 10.1.1.0/24 anywhere
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:http
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:81
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:300
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:301
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:302
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:303
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:304
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:305
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:306
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:307
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:308
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:309
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:310
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:https
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:2200
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:2201
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:2202
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:2203
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:2204
MASQUERADE tcp -- 172.18.0.3 172.18.0.3 tcp dpt:2205
MASQUERADE tcp -- 172.19.0.2 172.19.0.2 tcp dpt:http

Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp dpt:http to:172.18.0.3:80
DNAT tcp -- anywhere anywhere tcp dpt:81 to:172.18.0.3:81
DNAT tcp -- anywhere anywhere tcp dpt:300 to:172.18.0.3:300
DNAT tcp -- anywhere anywhere tcp dpt:301 to:172.18.0.3:301
DNAT tcp -- anywhere anywhere tcp dpt:302 to:172.18.0.3:302
DNAT tcp -- anywhere anywhere tcp dpt:303 to:172.18.0.3:303
DNAT tcp -- anywhere anywhere tcp dpt:304 to:172.18.0.3:304
DNAT tcp -- anywhere anywhere tcp dpt:305 to:172.18.0.3:305
DNAT tcp -- anywhere anywhere tcp dpt:306 to:172.18.0.3:306
DNAT tcp -- anywhere anywhere tcp dpt:307 to:172.18.0.3:307
DNAT tcp -- anywhere anywhere tcp dpt:308 to:172.18.0.3:308
DNAT tcp -- anywhere anywhere tcp dpt:309 to:172.18.0.3:309
DNAT tcp -- anywhere anywhere tcp dpt:310 to:172.18.0.3:310
DNAT tcp -- anywhere anywhere tcp dpt:https to:172.18.0.3:443
DNAT tcp -- anywhere anywhere tcp dpt:2200 to:172.18.0.3:2200
DNAT tcp -- anywhere anywhere tcp dpt:2201 to:172.18.0.3:2201
DNAT tcp -- anywhere anywhere tcp dpt:2202 to:172.18.0.3:2202
DNAT tcp -- anywhere anywhere tcp dpt:2203 to:172.18.0.3:2203
DNAT tcp -- anywhere anywhere tcp dpt:2204 to:172.18.0.3:2204
DNAT tcp -- anywhere anywhere tcp dpt:2205 to:172.18.0.3:2205
DNAT tcp -- anywhere anywhere tcp dpt:18000 to:172.19.0.2:80

still not able to ssh to VM,

I am trying like this ssh root@mainhost -p 2232
and I tried with vm IP also from my local system

Thanks
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom