Jump to content

Virtual interface NAT iptables

Recommended Posts

I created a virtual interface such as ~

auto vmbr0:0
iface vmbr0:0 inet static

Then the outbound rule ~

iptables -t nat -A POSTROUTING -s -o vmbr0 -j MASQUERADE

Set the initial VM with appropriate static address ect


here seems to be the issue , what might be incorrect within the iptables NAT ? 

iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m tcp --dport 22 -j DNAT --to-destination

Also defined :80 as well. So https can be accessed. However yum gives the pycurl error, explaining to me a network misconfiguration. I understand 443 should be open , this is not the first time I've done this without opening :443


Saved iptables with ~

iptables-save > /etc/nat-vmbr0-2.rules

And added ~

pre-up iptables-restore < /etc/nat-vmbr0-2.rules

to vmbr0 interface.


Has to be one thing I'm overlooking - extra set of eyes anyone ? 

Link to post
Share on other sites

After fiddling around testing ports and making minor changes I'm stumped. I scratched everything and rewrote all rules and interfaces. 


Opened :443 :80 :22 -- nmap shows them open, I can telnet to each, access ssh, httpd, https, ping any connection IP or domain based internally and externally, apache +  mysql are all accessible externally, this is an openvz container with no iptables set just on the host, fail2ban is running on the host specifically to protect one port on the host, the hostname is a proper FQDN, locales are set properly, time/date is set UTC /localtime, nothing wget works, nothing curl, scp, rsync, no transfer of data to or fro in any sense via command line. Logs show nothing but the same errors.


This has to be much more simple than the way I am looking at it. 


I've completely reconfigured the virtual interface using a different subnet. Grabbed a new OVZ template different OS. Same exact outcome. 


I do not think this is in my configuration, this must be something stuck in the kernel referencing a prior interface setting. 


/diary of a network madman for the day

Link to post
Share on other sites
  • 2 weeks later...

I've not visited this since my last post. other items to tangle. 


Reasoning truly is this node is configured as a gateway to three others with 7 CT's between them so it's become rather complex. Not to mention the firewall appliance rules / nats are just ridiculous. Little late for that switch, but it's gotta happen. VLANS are a must. Which I cannot implement at this point. Although openvswitch is now implemented within proxmox 3.2, just not ready to take that plunge just yet. A couple of dot releases to go first. 


At that point I'll likely migrate everything and start anew. 

Link to post
Share on other sites
  • 3 years later...
  • CA3LE locked this topic
This topic is now closed to further replies.
  • Create New...