Reputation: 229
Can't connect to external IP from local network behind iptables NAT
We have Proxmox vitual environmenet witch couple of virtual machines. Host server have multiple external IP adresses. We use iptables to forward connections to certain external IP+port to selected virtual machine. And we use NAT for outgoing connections from VMs.
So far everything works. Problem occurs when VMs try to connect to host external IP it's not working.
As far as i understand what we need is hairpin NAT (NAT reflection). But we are not able to get it working by instructions we found.
Our iptables rules:
# === FIREWALL ===
*filter
:INPUT ACCEPT [3174:1555907]
:FORWARD ACCEPT [2521:547542]
:OUTPUT ACCEPT [2753:2039466]
:fail2ban-ssh - [0:0]
# allow returnig packets
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# drop all other
-A INPUT -p tcp -d 1.2.3.4/32 -j DROP
COMMIT
# === NAT ===
*nat
:PREROUTING ACCEPT [140854:7345476]
:POSTROUTING ACCEPT [2635:170444]
:OUTPUT ACCEPT [25596:1617170]
# INCOMING
-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.60.10:80
-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.60.10:443
-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.0.60.20:80
# OUTGOING
-A POSTROUTING -d 10.0.60.10 -s 10.0.0.0/16 -p tcp --dport 80 -j SNAT --to 10.0.0.1
-A POSTROUTING -o vmbr0 -j SNAT --to-source 1.2.3.4
COMMIT
1.2.3.4 - external IP of host
10.0.60.10, 10.0.60.20 - internal IPs of VMs
10.0.0.1 - internal IP of host
Upvotes: 1
Views: 2826
Answers (2)
Reputation: 229
Solved it! I was typo on my side.
This is working solution for hairpin NAT:
# === FIREWALL ===
*filter
:INPUT ACCEPT [3174:1555907]
:FORWARD ACCEPT [2521:547542]
:OUTPUT ACCEPT [2753:2039466]
:fail2ban-ssh - [0:0]
# allow returnig packets
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# drop all other
-A INPUT -p tcp -d 1.2.3.4/32 -j DROP
COMMIT
# === NAT ===
*nat
:PREROUTING ACCEPT [140854:7345476]
:POSTROUTING ACCEPT [2635:170444]
:OUTPUT ACCEPT [25596:1617170]
# INCOMING
-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.60.10:80
-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.60.10:443
-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.0.60.20:80
# OUTGOING
-A POSTROUTING -s 10.0.0.0/16 -d 10.0.0.0/16 -p tcp -j SNAT --to-source 10.0.0.1
-A POSTROUTING -o vmbr0 -j SNAT --to-source 1.2.3.4
COMMIT
Upvotes: 1
Reputation: 3141
iptables -A POSTROUTING -t nat -s 10.0.0.0/16 -d 1.2.3.4 -j MASQUERADE
Upvotes: 0
Related Questions
- How to do local port forwarding with iptables
- NAT port forwarding not working, while ssh tunnel does
- iptables NAT - one public IP to multiple local IP (same port)
- iptables centOS port forwarding not working
- iptables forward and nat ruls
- connecting to a private ip
- Can't connect to linux server from outside
- Can access to my server from LAN but not from NAT
- IPTABLES: ping and wget work although they does not
- Unable to get to node.js externally