# Cloudflare Error 521: Proxmox Host and VM with Web Servers Are Down

Cloudflare Error 521: web server is down

#### Things to check:

- Check Error Logs
- Check All Services is running ( Nginx, PHP-fpm, mysql )
- Check Firewall Forwarding Rules
- Check Cloudflare DNS Records
- Check Domain Expired

#### My Host infrastructure: 

- Host Proxmox pve1 
    - pve1 has firewall rules and Route masquerading NAT which port forwarding port 80 , 443 to the VM 100
    - The host proxmox has VM 100 
        - VM 100 has firewall rules respond back to the host pve1

### Problem 1: Proxmox Host Firewall Rules are Gone after Restart

The problem here is when we restart the host proxmox pve1 , all firewall rules has been gone.

#### Solution:

ip address of VM 100: 192.168.xxx.3

##### Port Forwarding 

Forward Port For HTTP (Port 80)

```bash
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.xxx.3:80
sudo iptables -A FORWARD -p tcp -d 192.168.xxx.3 --dport 80 -j ACCEPT
```

Forward Port for HTTPS ( port 443 )

```bash
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.xxx.3:443
sudo iptables -A FORWARD -p tcp -d 192.168.xxx.3 --dport 443 -j ACCEPT
```

Allow Traffic on Host:

```bash
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
```

Enable IP Forwarding:

To make this change persistent across reboots, edit `/etc/sysctl.conf` and ensure the following line is uncommented:

```bash
net.ipv4.ip_forward = 1
```

apply the changes with

```bash
sudo sysctl -p
```

Verify the Configuration

To check if the port forwarding is working, you can:

Try accessing the web service on the host IP (e.g., http://public.ip.address or https://your.public.ip.address).

Ensure the VM’s web service is running and listening on the correct ports (80 for HTTP and 443 for HTTPS).

##### Save the iptables Rules

If everything works as expected, save your `iptables` rules to ensure they persist across reboots.

For most Linux distributions, you can save the rules with:

```bash
sudo iptables-save > /etc/iptables/rules.v4
```

Check again, to see ports are being forwarded to the right vm ip addresses

List all `iptables` rules including NAT (Network Address Translation)

```bash
sudo iptables -t nat -L -n -v --line-numbers
```

[![image.png](https://wiki.kyluat.com/uploads/images/gallery/2025-05/scaled-1680-/pnjimage.png)](https://wiki.kyluat.com/uploads/images/gallery/2025-05/pnjimage.png)

Check Forward Rules

```bash
sudo iptables -L FORWARD -n -v --line-numbers
```

[![image.png](https://wiki.kyluat.com/uploads/images/gallery/2025-05/scaled-1680-/ZuDimage.png)](https://wiki.kyluat.com/uploads/images/gallery/2025-05/ZuDimage.png)

##### Save the current iptables rules

```bash
sudo iptables-save > /etc/iptables/rules.v4
sudo apt install iptables-persistent
sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent

```