Tailscale version: 1.34.0
Your operating system & version: Debian 11
Proxmox version: 7.3
I am managing a cloud server with a single public IP address for the host and the guests.
Guest access to the internet is enable through nat configuration on the host.
To avoid having to block several ports on the host I applied the rules suggested in the following article: Use UFW to lock down an Ubuntu server · Tailscale. It works perfectly well for the host but not for the guests running their own tailscale client.
How should I configure the network in order to secure the server exposed to the internet without hampering the access to the guests?
Here is the network configuration on the host (proxmox) server:
### LOOPBACK ###
auto lo
iface lo inet loopback
iface lo inet6 loopback
### IPv4 ###
# Main IPv4 from Host
auto enp0s31f6
iface enp0s31f6 inet manual
### VM-Bridge used by Proxmox
auto vmbr0
iface vmbr0 inet static
address a.b.c.d
gateway v.w.x.y
hwaddress aa:bb:cc:dd:ee
bridge_ports enp0s31f6
bridge_stp off
bridge_fd 0
### Private NAT used by Proxmox
auto vmbr1
iface vmbr1 inet static
address 192.168.20.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.20.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.20.0/24' -o vmbr0 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3333 -j DNAT --to 192.168.20.200:3333
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 3333 -j DNAT --to 192.168.20.200:3333
source /etc/network/interfaces.d/*
Thank you for your help and support.
Denis