I am about to forward a port to an instance that is behind a manager bridge. It works with the proxy feature.
But I realized that with proxy the source IP is 127.0.0.1. Since this is an ssh and I want to use sshguard and it should see the real source IP address.
Is that possible in any way that is managed by Incus?
Or do I need to configure nftables manually on the host machine?
Thanks.
I found that I need to add a specific listen address too, it cannot be 0.0.0.0 or “*”. What’s the reason?
Altogether, it is less usable this way, because if the instance is migrated to another host, it can happen, that the instance does not work, because the listen address does not match. In addition, if the destination IP address is fixed, the source and the destination server’s IP range has to be the same, otherwise it fails.
It would be more useful if it worked like the docker does: the listen address can be anything (that might be the default) and the destination is the instance name.