[libvirt-users] iptables: cannot port forward
Gao Yongwei
itxx00 at gmail.com
Mon Aug 13 23:55:10 UTC 2012
2012/8/13 Mauricio Tavares <raubvogel at gmail.com>:
> Easy question here: I have a test network that looks like this
> (apologies for my lack of ascii skills):
>
> [hostc]---------------[Firewall]192.168.42.1 (EXTIF: eth0) /10.0.0.1
> (INTIF: eth1)
> 192.168.42.10 (wan) |(lan)
> |
> +-------------[hosta] 10.0.0.10 (port 4242)
> |
> +-------------[hostb] 10.0.0.20 (port 2424)
>
> All of those machines are vms I created using virsh/libvirt. In fact,
> the "wan" is a network that exists only inside virsh. "lan" is a vlan
> my desktop also belongs to; I did that so I could always connect even
> when I screwed the firewall up. So, using iptables I created a little
> set of rules to forward port 2424 in 192.168.42.1 to 10.0.0.20:2424 :
>
>
> $IPTABLES -t nat -A PREROUTING --dst 192.168.42.1 -p tcp --dport 2424
> -m comment --comment "test" -j DNAT --to-destination 10.0.0.20:2424
>
> cat >> /etc/sysctl.conf << 'EOF'
> # Custom Settings for Forwarding and OpenSwan
> net.ipv4.ip_forward=1
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.default.accept_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.send_redirects = 0
> EOF
> sysctl -p
>
> So, in 10.0.0.20 I do "nc -l 2424". But when I go to hostc and then
> try to do "nc -v 192.168.41.1 2424", connection does not take place.
> Thinking I've done something wrong, I replicated the very same setup
> in virtualbox down to the network layout. It works. So, I went to the
> firewall vm and replaced the network interface from virtio to e1000.
> Still did not work. What am I missing here?
>
you could try this rule below to replace your " $IPTABLES -A FORWARD
-o $INTIF -i $EXTIF -j ACCEPT"
iptables -I FORWARD -i br0 -o virbr0 -p tcp -m state --state NEW -j ACCEPT
NB,i use the "-I " to insert this rule in front of all other rules,
More information about the libvirt-users
mailing list