Port forwarding from public IP to internal (Proxmox via vmbr0 & vmbr1).

mike8610 · 01-12-2019, 08:29 AM

Hi Guys,

My first post here

Hopefully I will learn a lot

I have an issue.

I have a proxmox with 1 public IP.

Public ip is connected to VMBR0

I have also VMBR1 which supposed to provide connectivity for all VM's (10.0.0.0/8)

Now I was trying to find a solution on Proxmox forum, but ended up with HAProxy.

Unfortunately HAProxy doesn't support UDP (Galera Cluster), so I have to find a solution to redirect any port from public IP to any port on internal network.

Let's say:

vmbr0 - IP 99.99.99.99
vmrb1 - IP 10.0.254.1/8 (bridge to vmbr0)

VM is using eth0 that is 10.1.1.1/8

HAProxy redirect ports just fine, but I need a solution to redirect any type of packet.

HAProxy I want to use strictly to redirect traffic between servers using their public IP & specific port for specific application / service / api.

Here is my config

auto lo
iface lo inet loopback

iface enp1s0 inet manual

iface enp2s0 inet manual

auto vmbr0
iface vmbr0 inet static
address 111.125.121.24/24
gateway 111.125.121.24
bridge-ports enp1s0
bridge-stp off
bridge-fd 0

auto vmbr1
iface vmbr1 inet static
address 10.254.1.2
netmask 255.0.0.0
bridge-ports vmbr0
bridge-stp off
bridge-fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/8' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/8' -o vmbr0 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -p tcp -d 111.125.121.24 --dport 4344 -i vmbr0 -j DNAT --to-destination 10.1.1.2:22
post-down iptables -t nat -A POSTROUTING -p tcp -d 111.125.121.24 --dport 4344 -j SNAT --to-source 10.1.1.2
# post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 6022 -j DNAT --to 10.1.1.2:22
# post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 6022 -j DNAT --to 10.1.1.2:22

TB0ne · 01-30-2019, 09:45 AM

Quote:

Originally Posted by Ruppert

On the client side, these rules can be configured through the configuration files and the settings will be raised immediately along with the network interface, as is usually the case.
Sample configuration files for centos 6.5

Code:

cat / etc / sysconfig / network-scripts / ifcfg-eth0
DEVICE = eth0
BOOTPROTO = static
ONBOOT = yes
IPADDR = 1.2.3.4
NETMASK = 255.255.255.255
SCOPE = "peer 192.168.0.1"

cat / etc / sysconfig / network-scripts / route-eth0
ADDRESS0 = 0.0.0.0
NETMASK0 = 0.0.0.0
GATEWAY0 = 192.168.0.1

...and none of this relates to port-forwarding, or addresses the OP's question. Because this.....

Quote:

How to set up a server through configs can be found here <SPAM LINK REMOVED>, but in general this is a lesser problem - one gateway is simple to control and elementary setup - just for each address (network of addresses) to call the command to send traffic to the internal network - this can be at least just a script to make and include in autoload.

...is nothing but a junk website, not offering ANY Linux information at all. Amazingly, the site is part of the "Amazon Affiliate" network, where YOU make money if someone is dumb enough to click a link. Reported as a spammer.