[pve-devel] pvefw: masquerade problems and conntrack zones
Alexandre DERUMIER
aderumier at odiso.com
Mon Mar 10 18:14:07 CET 2014
>>We need physdev match to filter traffic from VMs?
sorry, I wanted to say, output interface instead phydev
>>iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
replace by
iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -j SNAT --to X.X.X.X (ip of the bridge)
how is the netfilter logs, with masquerade with ip on vmbr0 and without veth ?
MASQTEST: IN= OUT=??? PHYSIN=tap116i0 PHYSOUT=???? SRC=10.10.10.3 DST=8.8.8.8
I'm a bit lost for now, I'll try to create a testlab tomorrow to see how things works.
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Lundi 10 Mars 2014 17:01:55
Objet: RE: [pve-devel] pvefw: masquerade problems and conntrack zones
> >>That behaves quite the same.
>
> Maybe, without veth ? (using bridge ip directly?).
> So we don't need to have physdev match.
We need physdev match to filter traffic from VMs?
More information about the pve-devel
mailing list