Skip to main content

Cloudflare Error 521: Proxmox Host and VM with Web Servers Are Down

Cloudflare Error 521: web server is down

Things to check:

  • Check Error Logs
  • Check All Services is running ( Nginx, PHP-fpm, mysql )
  • Check Firewall Forwarding Rules
  • Check Cloudflare DNS Records
  • Check Domain Expired

My Host infrastructure: 

  • Host Proxmox pve1
    • pve1 has firewall rules and Route masquerading NAT which port forwarding port 80 , 443 to the VM 100
    • The host proxmox has VM 100
      • VM 100 has firewall rules respond back to the host pve1

Problem 1: Proxmox Host Firewall Rules are Gone after Restart

The problem here is when we restart the host proxmox pve1 , all firewall rules has been gone.

Solution:

ip address of VM 100: 192.168.xxx.3

Port Forwarding 

Forward Port For HTTP (Port 80)

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.xxx.3:80
sudo iptables -A FORWARD -p tcp -d 192.168.xxx.3 --dport 80 -j ACCEPT

Forward Port for HTTPS ( port 443 )

sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.xxx.3:443
sudo iptables -A FORWARD -p tcp -d 192.168.xxx.3 --dport 443 -j ACCEPT

Allow Traffic on Host:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Enable IP Forwarding:

To make this change persistent across reboots, edit /etc/sysctl.conf and ensure the following line is uncommented:

net.ipv4.ip_forward = 1

apply the changes with

sudo sysctl -p

Verify the Configuration

To check if the port forwarding is working, you can:

Try accessing the web service on the host IP (e.g., http://public.ip.address or https://your.public.ip.address).

Ensure the VM’s web service is running and listening on the correct ports (80 for HTTP and 443 for HTTPS).

Save the iptables Rules

If everything works as expected, save your iptables rules to ensure they persist across reboots.

For most Linux distributions, you can save the rules with:

sudo iptables-save > /etc/iptables/rules.v4

Check again, to see ports are being forwarded to the right vm ip addresses

List all iptables rules including NAT (Network Address Translation)

sudo iptables -t nat -L -n -v --line-numbers

image.png

Check Forward Rules

sudo iptables -L FORWARD -n -v --line-numbers

image.png

Save the current iptables rules
sudo iptables-save > /etc/iptables/rules.v4
sudo apt install iptables-persistent
sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent

No Comments
Back to top