Internet NAT en PROXMOX

gistfile1.txt

Update debian 9 a 10 
https://www.cyberciti.biz/faq/update-upgrade-debian-9-to-debian-10-buster/
Instalar Proxmox en Debian 10
https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Buster

#https://pve.proxmox.com/wiki/Network_Configuration

Elimine la red de la eth0 (IP y Subred) desde la pagina web y agrebhe una vmbr0 con los datos del eth0
haciendo un brige desde la eth0

Agregue una vmbr1 de forma manual y los ->

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o eth0 -j MASQUERADE
        
Segui tambien estos pasos:
  https://blog.desdelinux.net/conecta-dos-redes-para-compartir-internet-con-gnulinux/
  
------------------------------------------------------------------------------------------
nano /etc/network/interfaces
------------------------------------------------------------------------------------------
auto lo
iface lo inet loopback
iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 199.217.117.4/26
        gateway 199.217.117.1
        bridge-ports eth0
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet static
        address  192.168.1.1
        netmask  255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0


        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o eth0 -j MASQUERADE



------------------------------------------------------------------------------------------
nano  /etc/iptables.up.rules
------------------------------------------------------------------------------------------

### MANGLE ###

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

### FILTER ###

*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Dejamos acceso al localhost
-A INPUT -i lo -j ACCEPT
# Dejamos acceso al firewall desde la red local
-A INPUT -s 192.168.1.0/24 -i vmbr2 -j ACCEPT
# Permitimos conexiones salientes al puerto 80 (web) y 443 (https)
-A FORWARD -p tcp -s 192.168.1.0/24 -i vmbr2 --dport 80 -j ACCEPT
-A FORWARD -p tcp -s 192.168.1.0/24 -i vmbr2 --dport 443 -j ACCEPT
# Aceptamos conexiones salientes a DNS (puerto 53 tcp y udp)
-A FORWARD -p tcp -s 192.168.1.0/24 -i vmbr2 --dport 53 -j ACCEPT
-A FORWARD -p udp -s 192.168.1.0/24 -i vmbr2 --dport 53 -j ACCEPT
# Denegamos el resto de conexiones salientes (No necesitamos filtrar$
-A FORWARD -p tcp -m tcp -s 192.168.1.0/24 -i vmbr2 -j ACCEPT
# Dejamos acceso al firewall desde internet
-A INPUT -i vmbr0 -j ACCEPT
COMMIT

### NAT ###

*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Enmascaramos la red local (para hacer NAT)(Salida de las maquinas $
-A POSTROUTING -s 192.168.1.0/24 -o vmbr0 -j MASQUERADE
# SERVIDOR 1 PUERTO 80
-A PREROUTING -p tcp -m tcp -i vmbr0 --dport 80 -j DNAT --to 192.168.1.100:80
# SERVIDOR 2 PUERTO 443
-A PREROUTING -p tcp -m tcp -i vmbr0 --dport 443 -j DNAT --to 192.168.1.100:443
COMMIT


------------------------------------------------------------------------------------------
iptables-restore < /etc/iptables.up.rules
------------------------------------------------------------------------------------------
nano /etc/resolv.conf
------------------------------------------------------------------------------------------