[PVE-User] Routing puzzle !

Tobias Limmer tobias.limmer at informatik.uni-erlangen.de
Thu Apr 15 18:50:00 CEST 2010 

Hi Darquandier,

most probably your problem is the default route on CT101 - it should  
send the response packets via the VPN. To avoid this problem, you must  
perform source and destination NAT on CT0, so that source and  
destination IP of arriving packets are replaced. The corresponding  
commands would be:

iptables -t nat -A PREROUTING -d [public-ip-CT0] -p tcp --dport 2222 - 
j DNAT --to-destination 10.0.0.101:22
iptables -t nat -A POSTROUTING -d 10.0.0.101 -p tcp --dport 22 -j SNAT  
--to-source 10.0.0.1

Now all TCP connections to [public-ip-CT0] and port 2222 are forwarded  
to CT101. One drawback: during the process the original IP address is  
lost and CT101 always assumes that the connections originate from CT0.
This kind of setup is very tricky to get right, tcpdump helps a lot!

Btw: We've been using Proxmox for about a year now, and it works  
great! Thanks a lot to the developers!

bye,
Tobi


On 15.04.2010, at 17:32, Darquandier wrote:

> Hello everyone, count me in on the proxmox ve ship !
>
> Still, I'm having some troubles setting up port forwarding to a  
> container,
> here is my story :
>
> I set up a proxmox server with a container inside having a bridged  
> ethernet
> and it's own public ip.
> Let's call the host server CT0 and the container CT101.
> CT0 has a vmbr0 interface with an internet public address (call it
> [public-ip-CT0].
> CT101 has a bridged interface, called eth0, with it's own public  
> address
> ([public-ip-CT101]).
> CT101 connects to a VPN, and therefore [public-ip-CT101] becomes  
> unreachable
> (logical).
> On CT0, I created an alias vmbr0:0 with ip 10.0.0.1
> On CT101, I created an alias eth0:0 with ip 10.0.0.101
> With or withour the vpn, CT0 can now see CT101 and ssh through it,  
> etc.
> using this 10.0.0.0 LAN.
> Now, I want to redirect some of the incoming traffic arriving on CT0  
> to
> CT101. Maily an ssh port and some other network services, so that  
> CT101
> remains fully operatable even when connected to the VPN, and I  
> cannot find
> the good iptables command to put on the CT0.
> The best I can do is forwarding the port, I see the packets arrive,  
> but no
> answer...
> _______________________________________________
> pve-user mailing list
> pve-user at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

More information about the pve-user mailing list