I recently set up a Hetzner bare metal host to share a few services with friends. The apps themself run in isolated LXC containers on a Proxmox host.

Most Tutorials will get you far enough to to run your apps in a VM and forward traffic (usually tcp/80 and tcp/443) via iptables. If your public IPv4 address is and your VM is then you will have added a rule like:

-t nat -A PREROUTING -i <your-interface>
-p tcp -d ''
--dport 443 -j DNAT

which will work fine … until you want to access a service running on one of the NAT'ed VMs, from the VM itself. 😱

In my case - I wanted to set up a Statping-ng instance (that's now public at http://ping.bascht.space by the way) - that monitors other services on adjacent VMs.

Above prerouting rule will only apply to packets entering the machine on said interface. To route packages from the machine itself, you will need to add an OUTPUT rule almost identical to the existing ones. In my case:

-t nat -A OUTPUT
-p tcp --dst ''
--dport 443 -j DNAT

And voila - packets flow. 🎉