[pve-devel] pvefw: masquerade problems and conntrack zones

Alexandre DERUMIER aderumier at odiso.com
Mon Mar 10 18:14:07 CET 2014


>>We need physdev match to filter traffic from VMs?
sorry, I wanted to say, output interface instead phydev

>>iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
replace by

iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -j SNAT --to X.X.X.X (ip of the bridge)


how is the netfilter logs, with masquerade with ip on vmbr0 and without veth ?

MASQTEST: IN= OUT=??? PHYSIN=tap116i0 PHYSOUT=???? SRC=10.10.10.3 DST=8.8.8.8



I'm a bit lost for now, I'll try to create a testlab tomorrow to see how things works.



----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Lundi 10 Mars 2014 17:01:55 
Objet: RE: [pve-devel] pvefw: masquerade problems and conntrack zones 

> >>That behaves quite the same. 
> 
> Maybe, without veth ? (using bridge ip directly?). 
> So we don't need to have physdev match. 

We need physdev match to filter traffic from VMs? 



More information about the pve-devel mailing list