1

I have a proxmox server with one public IP. I have setup up NAT and iptables to forward port 80 and 443 to my apache2 server. Everything is working fine until I try to make a request from inside the NAT Network.

I have some domains pointing on my server, when I try wget foo.de from any server inside the NAT newtork to any of my domains I get Connecting to foo.de ... failed: Connection refused. From outside of this network everything is working as expected.

This is my iptables config:

auto lo
iface lo inet loopback

iface ens3 inet manual

auto vmbr0
iface vmbr0 inet static
        address xxx.xxx.xxx.xxx/xx
        gateway xxx.xxx.xxx.xxx
        bridge-ports ens3
        bridge-stp off
        bridge-fd 0


auto vmbr1
iface vmbr1 inet static
        address  10.10.10.1
        netmask  255.255.255.0
        network 10.10.10.0
        broadcast 10.10.10.255
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   sysctl -w net.ipv4.conf.all.route_localnet=1
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.10.10.2:80
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.10.10.2:80
        post-up iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 10.10.10.2:80
        post-down iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 10.10.10.2:80

        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 10.10.10.2:443
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 10.10.10.2:443
        post-up iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to 10.10.10.2:443
        post-down iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to 10.10.10.2:443

I just setup the loop interface, since that I can reach the servers via their public URL from their host, but still not from inside the NAT Network. The Server is directly connected to the internet without any router before it. Any ideas how to fix that?

Tim Dreier
  • 11
  • 1
  • Search this site about "NAT loopback" and/or "hairpin NAT". (In this context, your server _is_ the router.) – u1686_grawity Apr 14 '20 at 08:27
  • Hi, thank you for your reply. I already found this: https://superuser.com/questions/1161226/nat-loopback-on-my-router According to this I tried to add the filling rules, but without success: `iptables -t nat -A PREROUTING -i vmbr0 -s 10.10.10.0/24 -d 10.10.10.1/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination xxx.xxx.xxx.xxx` `iptables -t nat -A POSTROUTING -o vmbr0 -s 10.10.10.0/24 -d 10.10.10.1/24 -p tcp -m tcp --dport 80 -j SNAT --to-source xxx.xxx.xxx.xxx` – Tim Dreier Apr 14 '20 at 09:54

0 Answers0