Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Proxmox - Port forward from Host to Guest (NAT), How?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Proxmox - Port forward from Host to Guest (NAT), How?

dnwkdnwk Member
in Help

Could someone show me how to forward ports from host to KVM guest (in NAT) mode? I am running Proxmox and I only have 1 IP address.
Thanks

Comments

  • FalzoFalzo Member
    edited November 2016

    1. add a bridge with some private subnet to your /etc/network/interfaces like:

    # NAT bridge
auto vmbr1
iface vmbr1 inet static
        address  10.0.0.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward

        post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.1/24' -o eth0 -j MASQUERADE

    instead of postrouting to eth0 you might need to use vmbr0 instead if it exists, this depends on if and how you setup default bridges at all...

    2a. add at least a rule to forward one port for use with ssh one those private IP:

        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1022 -j DNAT --to 10.0.0.2:22
    post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 1022 -j DNAT --to 10.0.0.2:22

    as you can see you can match different external and internal ports as you need.

    make sure to not use the external ports you need on the host itself - so better not forward port 22 itself if you are using it on the hostnode for ssh and not forward 8006 with proxmox etc. ;-)

    2b. you can also forward multiple ports with one rule:

        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 21,25,80,110,143,443,465,587,993,995 -j DNAT --to 10.0.0.2
    post-down iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dports 21,25,80,110,143,443,465,587,993,995 -j DNAT --to 10.0.0.2

    2c. you can also forward port ranges like this:

        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 20000:21000 -j DNAT --to 10.0.0.2
    post-down iptables -t nat -D PREROUTING -i eth0 -p tcp -m multiport --dports 20000:21000 -j DNAT --to 10.0.0.2

    3. in proxmox panel create a guest VM and assign the bridge and IP you choose in the rules above via network settings like 10.0.0.2/24 and use the internal IP of the bridge like 10.0.0.1 as gateway...

    that's it. you could also add and remove forwarding rules like the above directly via cli, it's just an iptables command. having them in /etc/network/interfaces via post-up/post-down makes them permanent. instead one could probably use other things like persistent iptables and so on - feel free to adapt to your needs ;-)

    Thanked by 5ehab simonindia Clouvider dnwk imok
  • dnwkdnwk Member

    One question, " post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.0.0.1/24' -o eth0 -j MASQUERADE" Is it a typo? for 10.0.0.0/24 in post-up but 10.0.0.1/24 in post-down

  • FalzoFalzo Member
    edited November 2016

    @dnwk said:
    One question, " post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.0.0.1/24' -o eth0 -j MASQUERADE" Is it a typo? for 10.0.0.0/24 in post-up but 10.0.0.1/24 in post-down

    oh, sorry! yes you are right, it's a typo in the post-down line. it has to be 10.0.0.0/24 like on post-up, as it simply deletes the rule on network shutdown which has been added on network start.

    (PS: can't edit my posting anymore)

    Thanked by 1dnwk
  • dragon2611dragon2611 Member

    If it's a just a simple port forward and you are using the nat mode then see https://www.lowendtalk.com/discussion/79241/proxmox-nat-port-forward-for-kvm

  • jvnadrjvnadr Member
    edited November 2016

    Following @Falzo 's rules will do the job. Just some additions:

    First of all, uncomment this line to /etc/sysctl.conf:
    net.ipv4.ip_forward=1

    He suggested to use vmbr0 instead of eth0, I would say you should DEFINITELY follow this rule, adding a virtual interface to your host node, using proxmox. So, create a vmbr0 interface for using as the interface to your main ip and a vmbr1 for your nat ips:

    Follow @Falzo 's guide for port forwarding to same ports (25 to 25 etc.) or for massing forwarding a range of ports. (Don't forget to restart network)

    And if you want to reverse proxy a domain to your nat vps, so you don't have to use specific port in the address, install nginx to your host node and follow this configuration in your nginx domain config file (create in /etc/nginx/conf.d/ a file as mydomain.net.conf):

    server {
  listen 80;
  server_name mydomain.net *.mydomain.net;

  location / {
    proxy_pass              http://10.0.0.3;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_connect_timeout   150;
    proxy_send_timeout      100;
    proxy_read_timeout      100;
    proxy_buffers           4 32k;
    client_max_body_size    8m;
    client_body_buffer_size 128k;
  }
}

    (assuming that your NAT vps you want to forward has the address 10.0.0.3)

    P.S.:

    If you create or use vmbr0, then, don't forget to modify Falzo's rules like this:

        post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
    Thanked by 1Falzo
Sign In or Register to comment.