[pve-devel] pvefw: masquerade problems and conntrack zones
Dietmar Maurer
dietmar at proxmox.com
Mon Mar 10 09:09:32 CET 2014
The following configuration to MASQUERADE traffic is known to work:
------------
auto vmbr1
iface vmbr1 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE
--------------
But this is a 'routed' configuration, so 'physdev' match does not work correctly.
So I tried to use the 'veth' workaround:
----------
auto vmbr1
iface vmbr1 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0
auto pm1
iface pm1 inet static
address 10.10.10.1
netmask 255.255.255.0
VETH_BRIDGETO vmbr1
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE
post-down iptables -t nat -F POSTROUTING
----------
This works, but fails as soon as soon as I enable nf filter on the bridge (starting pvefw).
I found out that I can make it work by using CT zones:
----------
auto vmbr1
iface vmbr1 inet manual
bridge_ports none
bridge_stp off
bridge_fd 0
auto pm1
iface pm1 inet static
address 10.10.10.1
netmask 255.255.255.0
VETH_BRIDGETO vmbr1
post-up iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i vmbr1 -j CT --zone 1 # why do we need this?
post-up iptables -t raw -A PREROUTING -d '10.10.10.0/24' -i vmbr1 -j CT --zone 1 # why do we need this?
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE
post-down iptables -t nat -F POSTROUTING
post-down iptables -t raw -F PREROUTING
----------
But I do not understand this. Why is that required? Is that the correct way to do it?
More information about the pve-devel
mailing list