Nat – Forwarding ports from one bridged interface to a guest container on host OS

dnatnat;networkingproxmoxrouting

I have a simple configuration.

Mind map how everything look like

So I have a structure:

  • Proxmox Host OS (vmbr0, vmbr1)
    • Container 1 (eth0)
    • Container 2 (eth0)

The Proxmox networks:

vmbr0
    Link encap: Ethernet
    inet addr: 136.136.136.161
    Bcast: 136.136.136.191
    Mask: 255.255.255.192

vmbr1
    Link encap: Ethernet
    inet addr: 192.168.1.254
    Bcast: 136.136.1.255
    Mask: 255.255.255.0

The container 1 network:

eth0
    Link encap: Ethernet
    inet addr: 136.211.123.180
    Bcast: 136.211.123.180
    Mask: 255.255.255.255

The container 2 network:

eth0
    Link encap: Ethernet
    inet addr: 192.168.1.1
    Bcast: 192.168.1.255
    Mask: 255.255.255.0

The normal iptables of the proxmox looks like this. (TeamSpeakĀ³ example forward for udp port 9987)

~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       udp  --  anywhere             anywhere             udp dpt:9987 to:192.168.1.1:9987

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE all  --  192.168.1.0/24       anywhere

This is added via:

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o vmbr0 -j MASQUERADE
iptables -t nat -A PREROUTING -i vmbr0 -p udp -m udp --dport 9987 -j DNAT --to-destination 192.168.1.1:9987

And the question now is how to make a forward from the container 1 to the container 2, too?

At the moment the requests goes to the Proxmox Host and they'll forward this requests to the containers via iptables.
But the container 1 have a static ip address assigned because normally all ports should be go to this server. – except a few which I want to forward to the other container.

So how can I forward requests to the other static ip address of container 1 to container 2?

Container 2 is the TSĀ³ container.
Container 1 is the "static ip address" container.
And the proxmox host have a own ip address, too, which is used at the moment for all those requests.

Thank's in Advance for any ideas.

Best Answer

I would simply set up the public .180 address on the host OS vmbr0 interface, and then make port forwarding on the host OS.

I can't see the point of having the separate VM here. If you really want to do additional complexity with a separate VM, then you can try this.

Your container 1 network setup is odd, you cannot access any other host in the 136.211.123.128/255.255.255.192 network from that container. You should use the same netmask and broadcast addresses as are used in host OS.

For the actual forwarding, you need to add a second interface to container 1, which is bridged to vmbr1. Then you can make a port forwarding rule in container 1:

iptables -t nat -A PRETROUTING -i eth0 -p udp -m udp --dport 9987 -j DNAT --to-destination 192.168.1.1:9987

So, container 1 has an interface in both external and internal networks, and then it can make the port forward.

Related Topic