Join Log in
Score:1
Raphael avatar Server

Proxmox port forwarding to Container behind NAT

bt flag
Raphael

We have recently bought a server from the Hetzner server auction and want to migrate our previous root server. Previously we used only windows server, but now we want to set it up a bit more modular with proxmox.

We have a single public IP address, so we chose to use NAT with a 10.0.0.0/24 internal subnet.

The containers can access the internet, so this works fine.

But we can't connect to servers which run inside the containers over custom ports.

How can I properly forward the ports? We tried the routing and port forwarding as listed below. Something went wrong, the ports arent open, as shown by portscans. There is currently only a firewall in the Proxmox host, the server host firewall is disabled, so I dont know why traffic should be blocked.

This is the current setup of the proxmox network interface:

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto eno1
iface eno1 inet static
        address public.ipv4/26
        gateway public.gateway
        up route add -net public.ipv4 netmask 255.255.255.192 gw public.ipv4 dev eno1
# route public.ipv4.range.start/26 via public.ipv4.range.start+1

iface eno1 inet6 static
        address public.ipv6/128
        gateway fe80::1

auto vmbr0
iface vmbr0 inet static
        address 10.0.0.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up echo 1 > /proc/sys/net/ipv4/conf/eno1/proxy_arp
        post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o eno1 -j MASQUERADE
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 28967 -j DNAT --to 10.0.0.4:28967
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 28967 -j DNAT --to 10.0.0.4:28967
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 28967 -j DNAT --to 10.0.0.4:28967
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 28967 -j DNAT --to 10.0.0.4:28967

iface vmbr0 inet6 static
        address public.ipv6+1/64

iptables -L -t nat:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere             tcp dpt:28967 to:10.0.0.4:28967
DNAT       udp  --  anywhere             anywhere             udp dpt:28967 to:10.0.0.4:28967

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  10.0.0.0/24          anywhere

The eno1 interface was autogenerated by their installation script. We added the bridge and the NAT etc.

Client config:

auto lo
iface lo inet loopback
iface lo inet6 loopback

auto eth0
iface eth0 inet static
        address 10.0.0.4/24
        gateway 10.0.0.1
        pointtopoint public.ipv4

Client container has currently no firewall.

We are relatively inexperienced with networking inside a KWM host, so any help is greatly appreciated!

36
0 + 6
djdomi avatar
za flag
djdomi
hei remind that you need specific for hetzner to proxy arp due its disallow multiple mac's. but also please be more specific what is the business related question in here and issue. for Webserver it only require I. e. nginx on the host to reverse proxy it . If you want to use a Public ip on a container or guest, you need to route it
0
Reply
Raphael avatar
bt flag
Raphael
Hey, I want that when I access the public.ip:25565, it will forward traffic to the container port 10.0.0.4:25565. The minecraft server is just a placeholder for testing. How can I achieve that? What do I need to change?
0
Reply
djdomi avatar
za flag
djdomi
your looking for dnat, but your question is offtopic due only business related question in a business environment are on topic
0
Reply
Raphael avatar
bt flag
Raphael
Which site should I go to instead?
0
Reply
djdomi avatar
za flag
djdomi
[su] is for enthusiastic administration, you can do this easy by flagging your question for movement to superuser.com
0
Reply
Raphael avatar
bt flag
Raphael
i flagged it. You said to use dnat, but isn't that what I did in the above?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.