0

I have a server in a datacenter which is a Proxmox server. On the server (one of many, they are in a Proxmox cluster) I am hosting various VM's.

Services on the VM's are exposed through iptables (using ufw) natting like the following example:

-A PREROUTING -i eno1 -p tcp -d <public_ip> --dport 21 -j DNAT --to-destination <local_ip>:<port>
-A PREROUTING -i eno1 -p tcp -d <public_ip> --dport 23 -j DNAT --to-destination <local_ip>:<port>
-A PREROUTING -i eno1 -p tcp -d <public_ip> --dport 10090:10100 -j DNAT --to-destination <local_ip>:<port>

The VM's are connected using a virtual bridge nic like the documentation of Proxmox states. (Proxmox docs)This works. However there is one downside. The VM does not receive the source IP of the connecting party. This give me limited options on IP filtering, logging on various other VM's.

Now I am looking at a similar solution for nftables (which will, or has, replace iptables).

Is there a way to set up natting or forwarding rules that will allow the source IP to send to the VM?

nobody
  • 103
  • 3

1 Answers1

2

You can do the same rules in nftables this way:

table inet nat {
    chain prerouting {
        type nat hook prerouting priority dstnat;
        iif eno1 ip daddr { <public_ip> } tcp dport 21 dnat <local_ip>:<port>
        iif eno1 ip daddr { <public_ip> } tcp dport 23 dnat <local_ip>:<port>
        iif eno1 ip daddr { <public_ip> } tcp dport 10090-10100 dnat <local_ip>:<port>
    }
}

Although, Destination NAT does not rewrite the source IP, so you should see the real source IP. If you can't, you might have a Source NAT rule in the postrouting NAT table that you want to delete. You can check it with iptables -t nat -L.

setenforce 1
  • 1,200
  • 6
  • 10