[libvirt] DNAT, bridge, iptables and network

Mihamina Rakotomandimby mihamina at gulfsat.mg
Fri Jan 8 07:32:45 UTC 2010

Manao ahoana, Hello, Bonjour,

My server has 3 public IPs: IP1, IP2, IP3.
I intend to create 3 bridges: virbr1, virbr2, virbr3.

Each bridge will NAT from 3 to 5 KVM guests.

About IP1:
I would like incoming connexion on IP1 to:
  - IP1:80   to be DNAT'd to one virbr1 VM,     specialized on HTTP
  - IP1:3306 to be DNAT'd to another virbr1 VM, specialized on MySQL
  - IP1:53   to be DNAT'd to another virbr1 VM, specialized on DNS

Same about IP2 and IP3.

Should I assign a public IP address to each brdige? 
I think "no" because there will be a problem of network segment: 
--> What range will I give to the guests?

I think my only solution is to give private IPs (192.168.X.X) to the
brigdes (3 separate subnets), and use iptables with something like:

  iptables -t nat -A PREROUTING -p tcp -m tcp -d $IP1 --dport 80 \
       -j DNAT --to-destination $VIRBR1_HTTP_GUEST
  iptables -t nat -A PREROUTING -p tcp -m tcp -d $IP1 --dport 3306 \
       -j DNAT --to-destination $VIRBR1_MySQL_GUEST
  iptables -t nat -A PREROUTING -p udp -d $IP1 --dport 53 \
       -j DNAT --to-destination $VIRBR1_DNS_GUEST

Should be alright?

More informations: I use Ubuntu 9.10

Misaotra, Thanks, Merci.

       Architecte Informatique chez Blueline/Gulfsat:
    Administration Systeme, Recherche & Developpement
                +261 34 29 155 34 / +261 33 11 207 36

More information about the libvir-list mailing list