[SOLVED] VM or CT cannot resolve or ping dns

[didier91]

Hi everyone I am trying test Proxmox and i have some troubles
My VM or CT cannot ping google.fr or 8.8.8.8.
My conf of CT
resolv.conf :

nameserver 192.168.0.100
nameserver 8.8.8.8

interfaces

auto eth0
iface eth0 inet static
        address 172.16.2.2
        netmask 255.255.255.0
        gateway 172.16.2.1

On proxmox my set up

auto lo
iface lo inet loopback

iface enp0s25 inet manual

auto vmbr0
iface vmbr0 inet static
        address  192.168.0.100
        netmask  255.255.255.0
        gateway  192.168.0.1
        bridge-ports enp0s25
        bridge-stp off
        bridge-fd 0

auto vmbr4
iface vmbr4 inet static
        address  172.16.2.1
        netmask  255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up iptables -t nat -A POSTROUTING -s '172.16.2.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '172.16.2.0/24' -o vmbr0 -j MASQUERADE

resolv.conf
8.8.8.8

Rules iptables

#Flush
iptables -F
iptables -t nat -F
iptables -X

#police par defaut
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT

#ICMP
iptables -A INPUT -i vmbr0 -p icmp -j ACCEPT
iptables -A OUTPUT -o vmbr0 -p icmp -j ACCEPT

#ssh
iptables -A INPUT -i vmbr0 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o vmbr0 -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT

#update
iptables -A OUTPUT -o vmbr0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i vmbr0 -p tcp --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT

# dns
iptables -A OUTPUT -o vmbr0 -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -o vmbr0 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i vmbr0 -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i vmbr0 -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

# proxmox panel
iptables -A INPUT -i vmbr0 -p tcp --dport 8006 -j ACCEPT
iptables -A OUTPUT -o vmbr0 -p tcp --sport 8006 -m state --state ESTABLISHED,RELATED -j ACCEPT

route

default via 192.168.0.1 dev vmbr0 onlink
172.16.2.0/24 dev vmbr4 proto kernel scope link src 172.16.2.1
192.168.0.0/24 dev vmbr0 proto kernel scope link src 192.168.0.100

So i try to allow trafic DNS
iptables -A INPUT -i vmbr4 -p tcp -s 172.16.2.0/24 --dport 53 -j ACCEPT
iptables -A INPUT -i vmbr4 -p udp -s 172.16.2.0/24 --dport 53 -j ACCEPT
iptables -A OUTPUT -i vmbr4 -p udp --sport 53 --j ACCEPT
iptables -A OUTPUT -i vmbr4 -p tcp --sport 53 --j ACCEPT

But not works I didn't understand why i can't reach google or another ip public.
Normally with nat it should work
i can ping between CT and proxmox works
What i miss
I think my iptables not allow dns because when i flush all iptables rules it works but how can i allow my ct to communicate with internet with theses rules
Thanks for your return

 

[mira]

You'll have to add the rules to the FORWARD chain as well.

 

[didier91]

Thanks it works when FORWARD rules is correctly set up

 

[fdaforno]

Thanks it works when FORWARD rules is correctly set up

@didier91 could you share your configuration? i've the same issue thanks

 

[erivandosena]

Thanks it works when FORWARD rules is correctly set up

Could you share your configuration? i've the same issue thanks