1

I have one host running Proxmox VE.

I set up 3 virtual bridges vmbr[0-2] to handle my networking needs: vmbr0 runs directly on the main interface for VMs with public IPs, vmbr1 allows for NATed VMs, and vmbr2 is a host-only network. Let's say my main public IP is 12.34.56.78.

For the NAT to work, I set up the following iptables ruleset:

-A PREROUTING -d 12.34.56.78 -i vmbr0 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.1.101
# and other rules like this one for different ports to different local IPs

-A POSTROUTING -s 192.168.10.0/24 -o vmbr0 -j SNAT --to-source 12.34.56.78

Now let's say I have a VM on vmbr1 with IP 192.168.1.102.

This machine cannot access the webserver at 192.168.1.101 using the public IP 12.34.56.78.

I initially thought that the POSTROUTING directive above was enough for hairpin NAT to work.

Having read the canonical Loopback to forwarded Public IP address from local network - Hairpin NAT and multiple other answers on the same variant, I tried :

  • setting -P [INPUT|FORWARD|OUTPUT] ACCEPT temporarily on the host to check if it could be caused by some filtering rules

  • adding -A POSTROUTING -d 192.168.1.101 -p tcp --dport 80 -j MASQUERADE to the ruleset, trying it both before and after the current POSTROUTING rule

but still, it does not work.

Ideas?

Thanks.

Community
  • 1
rapht
  • 13
  • 4
  • If you have an internal DNS server you can also create a zone for the internal webserver so that local clients resolve the host name to the private IP instead of the public IP so you don't need to use a hairpin NAT rule. – user5870571 Feb 15 '16 at 13:57
  • I know of this solution, but I would highly prefer the NAT one, which is supposed to work I think... – rapht Feb 15 '16 at 14:40
  • Possible duplicate of [Loopback to forwarded Public IP address from local network - Hairpin NAT](http://serverfault.com/questions/55611/loopback-to-forwarded-public-ip-address-from-local-network-hairpin-nat) – MadHatter Feb 15 '16 at 15:00
  • Not a duplicate actually, problem solved see below : specifying the interface is key and not a subject covered in the referenced document. – rapht Feb 15 '16 at 16:15

1 Answers1

1

To do the hairpin NAT method you will need to enter the commands below.

iptables -t nat -A PREROUTING -d 12.34.56.78 -i vmbr1 -p tcp -m multiport --dports 80,443 -j DNAT \
    --to-destination 192.168.1.101   
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o vmbr1 -d 192.168.1.254 -p tcp \
    --dport 80 -j SNAT --to-source 192.168.1.101
user5870571
  • 2,900
  • 2
  • 11
  • 33
  • I just found what was wrong, which is not solved by your proposal: I need to remove `-i vmbr0` from the `PREROUTING` directive and it all works like a charm. In retrospect I should have seen it : with `-i vmbr0` the `PREROUTING` does not apply to packets coming from `vmbr1` which is where the NATed VMs are located. – rapht Feb 15 '16 at 14:53
  • 1
    I assumed you specified the interface you intended. I updated it. Give that a try. :) – user5870571 Feb 15 '16 at 14:59
  • Where did you get 192.168.1.254 from?? – Stefan Mar 31 '21 at 23:26