mudmanc4 Posted March 9, 2014 CID Share Posted March 9, 2014 I created a virtual interface such as ~ auto vmbr0:0 iface vmbr0:0 inet static address 10.10.2.1 netmask 255.255.255.0 network 10.10.2.0 broadcast 10.10.2.255 Then the outbound rule ~ iptables -t nat -A POSTROUTING -s 10.10.2.0/24 -o vmbr0 -j MASQUERADE Set the initial VM with appropriate static address ect DEVICE=eth0 BOOTPROTO=static ONBOOT=yes NETWORK=10.10.2.0 NETMASK=255.255.255.0 IPADDR=10.10.2.2 GATEWAY=10.10.2.1 here seems to be the issue , what might be incorrect within the iptables NAT ? iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.10.2.2:22 Also defined :80 as well. So https can be accessed. However yum gives the pycurl error, explaining to me a network misconfiguration. I understand 443 should be open , this is not the first time I've done this without opening :443 Saved iptables with ~ iptables-save > /etc/nat-vmbr0-2.rules And added ~ pre-up iptables-restore < /etc/nat-vmbr0-2.rules to vmbr0 interface. Has to be one thing I'm overlooking - extra set of eyes anyone ? Link to comment Share on other sites More sharing options...
mudmanc4 Posted March 10, 2014 Author CID Share Posted March 10, 2014 After fiddling around testing ports and making minor changes I'm stumped. I scratched everything and rewrote all rules and interfaces. Opened :443 :80 :22 -- nmap shows them open, I can telnet to each, access ssh, httpd, https, ping any connection IP or domain based internally and externally, apache + mysql are all accessible externally, this is an openvz container with no iptables set just on the host, fail2ban is running on the host specifically to protect one port on the host, the hostname is a proper FQDN, locales are set properly, time/date is set UTC /localtime, nothing wget works, nothing curl, scp, rsync, no transfer of data to or fro in any sense via command line. Logs show nothing but the same errors. This has to be much more simple than the way I am looking at it. I've completely reconfigured the virtual interface using a different subnet. Grabbed a new OVZ template different OS. Same exact outcome. I do not think this is in my configuration, this must be something stuck in the kernel referencing a prior interface setting. /diary of a network madman for the day Link to comment Share on other sites More sharing options...
nanobot Posted March 14, 2014 CID Share Posted March 14, 2014 Did you unblock the auto-assign ports? Or add the NAT lines? iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPTIf I recall they should be fairly high up the chain. (Obviously before the implicit block.) Thanks, EBrown mudmanc4 1 Link to comment Share on other sites More sharing options...
mudmanc4 Posted March 23, 2014 Author CID Share Posted March 23, 2014 I've not visited this since my last post. other items to tangle. Reasoning truly is this node is configured as a gateway to three others with 7 CT's between them so it's become rather complex. Not to mention the firewall appliance rules / nats are just ridiculous. Little late for that switch, but it's gotta happen. VLANS are a must. Which I cannot implement at this point. Although openvswitch is now implemented within proxmox 3.2, just not ready to take that plunge just yet. A couple of dot releases to go first. At that point I'll likely migrate everything and start anew. Link to comment Share on other sites More sharing options...
sabrinabnola Posted October 22, 2017 CID Share Posted October 22, 2017 I'd give a gajillion dollars to, even partially, understand what the heck y'all are talkin' about. ACK! I knew I should've taken a foreign language in school <grin>. Link to comment Share on other sites More sharing options...
Recommended Posts