<div dir="ltr"><div><br></div><div>Thanks for the reply!</div><div>output:<br></div><div>net.ipv4.ip_forward = 1</div><div><br></div><div>What do you mean "The out:any and"</div><div><br></div><div>Anywhere else I can look as to why the connection isn't going?</div><div>Do I need some kind of listener at that port on the host? I'm not even seeing the packet count on the prerouting chain increase when the connection attempts are made.<br></div><br><br><div class="gmail_quote"><div dir="ltr">On Thu, Aug 30, 2018 at 8:58 AM Martin Kletzander <<a href="mailto:mkletzan@redhat.com">mkletzan@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, Aug 29, 2018 at 06:31:41PM -0400, Rhys Ferris wrote:<br>
>Hello all,<br>
><br>
>I’m currently trying to figure out how to forward ports to guests that are on a NAT Network. I have followed the directions on <a href="https://wiki.libvirt.org/page/Networking" rel="noreferrer" target="_blank">https://wiki.libvirt.org/page/Networking</a> under the “Forwarding Incoming Connections” Section and get connection refused when attempting to connect.<br>
><br>
>System: Ubuntu Server 18.04.1<br>
>Virsh / LibVirtd Version: 4.0.0<br>
><br>
>Here’s the contents of /etc/libvirt/hooks/qemu<br>
> <br>
>#!/bin/bash<br>
> <br>
># IMPORTANT: Change the "VM NAME" string to match your actual VM Name.<br>
># In order to create rules to other VMs, just duplicate the below block and configure<br>
># it accordingly.<br>
>if [ "${1}" = "testy" ]; then<br>
> <br>
> # Update the following variables to fit your setup<br>
> GUEST_IP='10.128.10.100'<br>
> GUEST_PORT='22'<br>
> HOST_PORT='2588'<br>
> <br>
> if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then<br>
> /sbin/iptables -D FORWARD -o virbr0 -d $GUEST_IP -j ACCEPT<br>
> /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT<br>
> fi<br>
> if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then<br>
> /sbin/iptables -I FORWARD -o virbr0 -d $GUEST_IP -j ACCEPT<br>
> /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT<br>
<br>
I would do the rules differently, but since it is on the wiki, I'll believe it<br>
works. You probably checked, but just to make sure, what is the output of<br>
`sysctl net.ipv4.ip_forward` ?<br>
<br>
> fi<br>
>fi<br>
><br>
><br>
>Here’s my network XML<br>
><network><br>
> <name>olympus</name><br>
> <uuid>3b0d968c-8166-42f7-8109-e5f0317cab42</uuid><br>
> <forward mode='nat'><br>
> <nat><br>
> <port start='1024' end='65535'/><br>
> </nat><br>
> </forward><br>
> <bridge name='virbr1' stp='on' delay='0'/><br>
> <mac address='52:54:00:bb:18:6b'/><br>
> <ip address='10.128.10.1' netmask='255.255.255.0'><br>
> <dhcp><br>
> <range start='10.128.10.2' end='10.128.10.254'/><br>
> <host mac='52:54:00:8d:f5:0c' name='testy' ip='10.128.10.100'/><br>
> </dhcp><br>
> </ip><br>
></network><br>
><br>
>And here’s the results of iptables -L -vt nat:<br>
>BEFORE VM BOOT:<br>
>Chain PREROUTING (policy ACCEPT 46615 packets, 6618K bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> <br>
>Chain INPUT (policy ACCEPT 46615 packets, 6618K bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> <br>
>Chain OUTPUT (policy ACCEPT 198K packets, 18M bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> <br>
>Chain POSTROUTING (policy ACCEPT 198K packets, 18M bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> 24 1812 RETURN all -- any any <a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a> <a href="http://base-address.mcast.net/24" rel="noreferrer" target="_blank">base-address.mcast.net/24</a><br>
> 0 0 RETURN all -- any any <a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a> 255.255.255.255<br>
> 17 1020 MASQUERADE tcp -- any any <a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a> !<a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a> masq ports: 1024-65535<br>
> 15 1700 MASQUERADE udp -- any any <a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a> !<a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a> masq ports: 1024-65535<br>
> 0 0 MASQUERADE all -- any any <a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a> !<a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a><br>
> 22 1666 RETURN all -- any any <a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a> <a href="http://base-address.mcast.net/24" rel="noreferrer" target="_blank">base-address.mcast.net/24</a><br>
> 0 0 RETURN all -- any any <a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a> 255.255.255.255<br>
> 0 0 MASQUERADE tcp -- any any <a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a> !<a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a> masq ports: 1024-65535<br>
> 8 1168 MASQUERADE udp -- any any <a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a> !<a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a> masq ports: 1024-65535<br>
> 0 0 MASQUERADE all -- any any <a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a> !<a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a><br>
> <br>
> <br>
>AFTER VM BOOT<br>
>Chain PREROUTING (policy ACCEPT 2 packets, 120 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> 0 0 DNAT tcp -- any any anywhere anywhere tcp dpt:2588 to:<a href="http://10.128.10.100:22" rel="noreferrer" target="_blank">10.128.10.100:22</a><br>
> <br>
<br>
The out:any and<br>
<br>
>Chain INPUT (policy ACCEPT 2 packets, 120 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> <br>
>Chain OUTPUT (policy ACCEPT 18 packets, 1263 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> <br>
>Chain POSTROUTING (policy ACCEPT 18 packets, 1263 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
> 24 1812 RETURN all -- any any <a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a> <a href="http://base-address.mcast.net/24" rel="noreferrer" target="_blank">base-address.mcast.net/24</a><br>
> 0 0 RETURN all -- any any <a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a> 255.255.255.255<br>
> 17 1020 MASQUERADE tcp -- any any <a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a> !<a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a> masq ports: 1024-65535<br>
> 15 1700 MASQUERADE udp -- any any <a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a> !<a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a> masq ports: 1024-65535<br>
> 0 0 MASQUERADE all -- any any <a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a> !<a href="http://10.128.10.0/24" rel="noreferrer" target="_blank">10.128.10.0/24</a><br>
> 22 1666 RETURN all -- any any <a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a> <a href="http://base-address.mcast.net/24" rel="noreferrer" target="_blank">base-address.mcast.net/24</a><br>
> 0 0 RETURN all -- any any <a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a> 255.255.255.255<br>
> 0 0 MASQUERADE tcp -- any any <a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a> !<a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a> masq ports: 1024-65535<br>
> 8 1168 MASQUERADE udp -- any any <a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a> !<a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a> masq ports: 1024-65535<br>
> 0 0 MASQUERADE all -- any any <a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a> !<a href="http://192.168.122.0/24" rel="noreferrer" target="_blank">192.168.122.0/24</a><br>
><br>
>And lastly heres what actually happens on attempt to SSH:<br>
>rhys@odin:~$ ssh <a href="mailto:rhys@172.16.99.170" target="_blank">rhys@172.16.99.170</a> -p 2258<br>
>ssh: connect to host 172.16.99.170 port 2258: Connection refused<br>
>rhys@odin:~$<br>
><br>
>The connection refused is instant, not a timeout.<br>
><br>
>I’ve ensured that ufw is disabled.<br>
><br>
>Any help appreciated. I just can’t figure this out.<br>
><br>
>Sent from Mail for Windows 10<br>
><br>
<br>
>_______________________________________________<br>
>libvirt-users mailing list<br>
><a href="mailto:libvirt-users@redhat.com" target="_blank">libvirt-users@redhat.com</a><br>
><a href="https://www.redhat.com/mailman/listinfo/libvirt-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/libvirt-users</a><br>
<br>
</blockquote></div></div>