[pve-devel] Firewalled and masqueraded containers
Andreas Steinel
a.steinel at gmail.com
Fri Dec 2 14:05:19 CET 2016
Hi everyone,
I do not know if this is a real bug or simply a non-documented behaviour,
but If I setup a masqueraded, private bridge (e.g. with
https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29_with_iptables)
everything works as long as I do not enable firewalling for the containers.
If I do, I cannot access the non-private network anymore (only outgoing
traffic). I also looked at the outgoing packages with tcpdump and the
natting is not working anymore. Private network address is not replaced in
the outgoing packages.
Searching in the forums I found out that there is a raw table and it works
afterwards
iptables -t raw -A PREROUTING -i fwbr<VMID>i0 -j CT --zone 1
So question is now, is this expected behaviour and one should set this
manually or is this a bug that it is not set automatically?
Best,
LnxBil
More information about the pve-devel
mailing list