Proxmox privates Netzwerk mit Portweiterleitung (und NAT Reflection)
/etc/network/interfaces adaptieren:
auto lo
iface lo inet loopback
auto ens3
iface ens3 inet manual
auto vmbr0
iface vmbr0 inet static
address xPUBLICIPx/22
gateway xGATEWAYx
bridge-ports ens3
bridge-stp off
bridge-fd 0
hwaddress xINTERFACEMACx
auto vmbr1
iface vmbr1 inet static
address 192.168.0.254/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s 192.168.0.0/24 -o vmbr0 -j MASQUERADE
# rp-ext2 SSH
post-up /var/scripts/iptables_nat_rule.sh A 192.168.0.109 12345 tcp
post-down /var/scripts/iptables_nat_rule.sh D 192.168.0.109 12345 tcp
# rp-ext2 HTTP/HTTPS
post-up /var/scripts/iptables_nat_rule.sh A 192.168.0.109 80 tcp
post-down /var/scripts/iptables_nat_rule.sh D 192.168.0.109 80 tcp
post-up /var/scripts/iptables_nat_rule.sh A 192.168.0.109 443 tcp
post-down /var/scripts/iptables_nat_rule.sh D 192.168.0.109 443 tcpAlle Container/VMs bekommen dann als Netzwerkinterface vmbr1, eine IP aus dem 192.168.0.0/24 Bereich und 192.168.0.254 als Gateway.
/var/scripts/iptables_nat_rule.sh sieht so aus:
#! /bin/sh
# $1 = Action (A / D)
# $2 = Destination (Internal IP)
# $3 = Port
# $4 = Protocol (tcp / udp)
PUBLICIP=xPUBLICIPx
# Port Forward Rule
iptables -t nat -$1 PREROUTING -i vmbr0 -p $4 --dport $3 -j DNAT --to $2:$3
# NAT Reflection Rules
iptables -t nat -$1 PREROUTING -i vmbr1 -s 192.168.0.0/24 -d $PUBLICIP/32 -p $4 --dport $3 -j DNAT --to-destination $2
iptables -t nat -$1 POSTROUTING -o vmbr1 -s 192.168.0.0/24 -d $2/32 -p $4 --dport $3 -j SNAT --to-source $PUBLICIPNetzwerk-Reload ohne Neustart:
sudo systemctl restart networkingWichtig:
NAT Reflection funktioniert vom 192.168.0.0/24 Netz aus (also aus den Containern/VMs), allerdings nicht vom Host direkt – hier brauchts dann entsprechende Ausnahme (Split Horizon DNS via /etc/hosts).