Re: [PVE-User] NAT Problems with PVE Firewall
Hello, It does not bypass the rules, but you have to keep in mind that "ip_forward" may be dangerous. Regards, Elias Werberich Am 22.06.2017 um 10:04 schrieb Yannick Palanque: > Hello, > > On my server, it doesn't bypass the rules. > But you should test yourself and tell the list if it works or not. > > Regards, > > > > Yannick > > Le 2017-06-21 23:12, Elias Werberich a écrit : >> Hello, >> >> thank you, it works. >> But it will not bypass any firewall rules? >> >> Regards, >> >> Elias Werberich >> >> Am 21.06.2017 um 21:12 schrieb Yannick Palanque: >>> Le 2017-06-21 18:26, Elias Werberich a écrit : Using SNAT instead of MASQUERADE does not solve the problem. In a pve-devel thread [2] I read that the following rules should help, but it does not work either. post-up iptables -t raw -A PREROUTING -s '10.0.0.0/24' -i vmbr12 -j CT --zone 1 post-up iptables -t raw -A PREROUTING -d '10.0.0.0/24' -i vmbr12 -j CT --zone 1 >>> >>> >>> Hello, >>> >>> I use >>> post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 >>> and I have no problem with NAT and FW. >>> >>> Regards, >>> >>> >>> >>> Yannick Palanque >> >> ___ >> pve-user mailing list >> pve-user@pve.proxmox.com >> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user ___ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Re: [PVE-User] NAT Problems with PVE Firewall
Hello, thank you, it works. But it will not bypass any firewall rules? Regards, Elias Werberich Am 21.06.2017 um 21:12 schrieb Yannick Palanque: > Le 2017-06-21 18:26, Elias Werberich a écrit : >> Using SNAT instead of MASQUERADE does not solve the problem. >> In a pve-devel thread [2] I read that the following rules should help, >> but it does not work either. >> >> post-up iptables -t raw -A PREROUTING -s '10.0.0.0/24' -i vmbr12 >> -j CT --zone 1 >> post-up iptables -t raw -A PREROUTING -d '10.0.0.0/24' -i vmbr12 >> -j CT --zone 1 > > > Hello, > > I use > post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 > and I have no problem with NAT and FW. > > Regards, > > > > Yannick Palanque ___ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Re: [PVE-User] NAT Problems with PVE Firewall
Le 2017-06-21 18:26, Elias Werberich a écrit : Using SNAT instead of MASQUERADE does not solve the problem. In a pve-devel thread [2] I read that the following rules should help, but it does not work either. post-up iptables -t raw -A PREROUTING -s '10.0.0.0/24' -i vmbr12 -j CT --zone 1 post-up iptables -t raw -A PREROUTING -d '10.0.0.0/24' -i vmbr12 -j CT --zone 1 Hello, I use post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 and I have no problem with NAT and FW. Regards, Yannick Palanque ___ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
[PVE-User] NAT Problems with PVE Firewall
Dear Proxmox Group, I am currently trying to configure a simple NAT with PVE Firewall enabled. As long as I do not enable the firewall on the VM network interface, the wiki solution [1] works perfectly. PVE Firewall is enabled on datacenter and node level. --- BEGIN: /etc/network/interfaces (PVE) --- auto lo iface lo inet loopback allow-hotplug eth0 auto eth0 iface eth0 inet static address xxx.yyy.zzz.aaa netmask 255.255.255.255 gateway xxx.yyy.zzz.bbb pointopoint xxx.yyy.zzz.bbb auto vmbr12 iface vmbr12 inet static address 10.0.0.1 netmask 255.255.255.0 bridge_ports none bridge_stp off bridge_fd 0 post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE --- END: /etc/network/interfaces (PVE) --- --- BEGIN: /etc/network/interfaces (VM) --- auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 10.0.0.100 netmask 255.255.255.0 gateway 10.0.0.1 --- END: /etc/network/interfaces (VM) --- It seems that POSTROUTING is called too early so internal addresses are not translated. Using SNAT instead of MASQUERADE does not solve the problem. In a pve-devel thread [2] I read that the following rules should help, but it does not work either. post-up iptables -t raw -A PREROUTING -s '10.0.0.0/24' -i vmbr12 -j CT --zone 1 post-up iptables -t raw -A PREROUTING -d '10.0.0.0/24' -i vmbr12 -j CT --zone 1 Using NAT "and" PVE Firewall is not an unusal scenario. It looks like some kind of "pvefw bug". Yours sincerely, Elias Werberich - [1]: https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29_with_iptables [2]: https://pve.proxmox.com/pipermail/pve-devel/2014-March/010406.html signature.asc Description: OpenPGP digital signature ___ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user