Created
January 21, 2021 02:39
-
-
Save goedecke/539158a592f56dfd42ffa6eba1d403ee to your computer and use it in GitHub Desktop.
Internet NAT en PROXMOX
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update debian 9 a 10 | |
https://www.cyberciti.biz/faq/update-upgrade-debian-9-to-debian-10-buster/ | |
Instalar Proxmox en Debian 10 | |
https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Buster | |
#https://pve.proxmox.com/wiki/Network_Configuration | |
Elimine la red de la eth0 (IP y Subred) desde la pagina web y agrebhe una vmbr0 con los datos del eth0 | |
haciendo un brige desde la eth0 | |
Agregue una vmbr1 de forma manual y los -> | |
post-up echo 1 > /proc/sys/net/ipv4/ip_forward | |
post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o eth0 -j MASQUERADE | |
post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o eth0 -j MASQUERADE | |
Segui tambien estos pasos: | |
https://blog.desdelinux.net/conecta-dos-redes-para-compartir-internet-con-gnulinux/ | |
------------------------------------------------------------------------------------------ | |
nano /etc/network/interfaces | |
------------------------------------------------------------------------------------------ | |
auto lo | |
iface lo inet loopback | |
iface eth0 inet manual | |
auto vmbr0 | |
iface vmbr0 inet static | |
address 199.217.117.4/26 | |
gateway 199.217.117.1 | |
bridge-ports eth0 | |
bridge-stp off | |
bridge-fd 0 | |
auto vmbr1 | |
iface vmbr1 inet static | |
address 192.168.1.1 | |
netmask 255.255.255.0 | |
bridge-ports none | |
bridge-stp off | |
bridge-fd 0 | |
post-up echo 1 > /proc/sys/net/ipv4/ip_forward | |
post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o eth0 -j MASQUERADE | |
post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o eth0 -j MASQUERADE | |
------------------------------------------------------------------------------------------ | |
nano /etc/iptables.up.rules | |
------------------------------------------------------------------------------------------ | |
### MANGLE ### | |
*mangle | |
:PREROUTING ACCEPT [0:0] | |
:INPUT ACCEPT [0:0] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:POSTROUTING ACCEPT [0:0] | |
COMMIT | |
### FILTER ### | |
*filter | |
:FORWARD ACCEPT [0:0] | |
:INPUT DROP [0:0] | |
:OUTPUT ACCEPT [0:0] | |
# Dejamos acceso al localhost | |
-A INPUT -i lo -j ACCEPT | |
# Dejamos acceso al firewall desde la red local | |
-A INPUT -s 192.168.1.0/24 -i vmbr2 -j ACCEPT | |
# Permitimos conexiones salientes al puerto 80 (web) y 443 (https) | |
-A FORWARD -p tcp -s 192.168.1.0/24 -i vmbr2 --dport 80 -j ACCEPT | |
-A FORWARD -p tcp -s 192.168.1.0/24 -i vmbr2 --dport 443 -j ACCEPT | |
# Aceptamos conexiones salientes a DNS (puerto 53 tcp y udp) | |
-A FORWARD -p tcp -s 192.168.1.0/24 -i vmbr2 --dport 53 -j ACCEPT | |
-A FORWARD -p udp -s 192.168.1.0/24 -i vmbr2 --dport 53 -j ACCEPT | |
# Denegamos el resto de conexiones salientes (No necesitamos filtrar$ | |
-A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -i vmbr2 -j ACCEPT | |
# Dejamos acceso al firewall desde internet | |
-A INPUT -i vmbr0 -j ACCEPT | |
COMMIT | |
### NAT ### | |
*nat | |
:OUTPUT ACCEPT [0:0] | |
:PREROUTING ACCEPT [0:0] | |
:POSTROUTING ACCEPT [0:0] | |
# Enmascaramos la red local (para hacer NAT)(Salida de las maquinas $ | |
-A POSTROUTING -s 192.168.1.0/24 -o vmbr0 -j MASQUERADE | |
# SERVIDOR 1 PUERTO 80 | |
-A PREROUTING -p tcp -m tcp -i vmbr0 --dport 80 -j DNAT --to 192.168.1.100:80 | |
# SERVIDOR 2 PUERTO 443 | |
-A PREROUTING -p tcp -m tcp -i vmbr0 --dport 443 -j DNAT --to 192.168.1.100:443 | |
COMMIT | |
------------------------------------------------------------------------------------------ | |
iptables-restore < /etc/iptables.up.rules | |
------------------------------------------------------------------------------------------ | |
nano /etc/resolv.conf | |
------------------------------------------------------------------------------------------ | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment