I am about to forward a port to an instance that is behind a manager bridge. It works with the proxy feature.
But I realized that with proxy the source IP is 127.0.0.1. Since this is an ssh and I want to use sshguard and it should see the real source IP address.
Is that possible in any way that is managed by Incus?
Or do I need to configure nftables manually on the host machine?
You can set nat=true on your proxy device to have Incus setup a NAT rule for you rather than run the userspace proxy.
That will require your instance to have a static IP address though, so you’ll want to set ipv4.address on its eth0 device.
Thanks.
I found that I need to add a specific listen address too, it cannot be 0.0.0.0 or “*”. What’s the reason?
Altogether, it is less usable this way, because if the instance is migrated to another host, it can happen, that the instance does not work, because the listen address does not match. In addition, if the destination IP address is fixed, the source and the destination server’s IP range has to be the same, otherwise it fails.
It would be more useful if it worked like the docker does: the listen address can be anything (that might be the default) and the destination is the instance name.