[libvirt-users] Recommended change for the networking page in wiki

BJ taylors2004 at gmail.com
Mon Jun 8 19:24:16 UTC 2015 

Hello all,

I was told on IRC that I should come here to discuss a recommended change
on the networking page in the wiki.

If you take a look at the "Basic Script" shown here:
http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections

It does two things:
1) Create a DNAT rule in the NAT table of IPTABLES
2) Create a FORWARD rule in the FILTER table of IPTABLES

The FORWARD rule is set up as it ought to be, however, the DNAT rule has
some unintended consequences. I set up a DNAT on port 80, and suddenly, I
couldn't access out on port 80 anymore from my guest machine. However, if I
changed the destination address from "anywhere" to the IP of the host
machine, the problem resolved. So I change the script to as follows.
(Changes are highlighted. For some reason the original script didn't work
using /bin/sh, but it did with /bin/bash, so I changed that too).

*#!/bin/bash*
# used some from advanced script to have multiple ports: use an equal
number of guest and host ports

Guest_name=xxxxxxx
Guest_ipaddr=xxx.xxx.xxx.xx
*Host_ipaddr=xxx.xxx.xxx.xx*
Host_port=( '80' '443' )
Guest_port=( '80' '443' )
length=$(( ${#Host_port[@]} - 1 ))
if [ "${1}" = "${Guest_name}" ]; then
   if [ "${2}" = "stopped" -o "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               iptables -t nat -D PREROUTING *-d ${Host_ipaddr}* -p tcp
--dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -D FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state
--state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT
       done
   fi
   if [ "${2}" = "start" -o "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               iptables -t nat -A PREROUTING *-d ${Host_ipaddr}* -p tcp
--dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -I FORWARD 4 -d ${Guest_ipaddr}/32 -p tcp -m state
--state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT
       done
   fi
fi


Lastly, I should note that I am using Ubuntu 14.04, both for the host and
guest.

I'm also curious as to why this is considered a hack method. It states in
the wiki that "This method is a hack", but it doesn't express why. Many VM
Servers have similar features. I know Virtual Box does, I use the same
feature there. It may not be how I would set up a production server, but
doesn't make it a hack.

Thanks,
BJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20150608/7f2f9ba0/attachment.htm>

More information about the libvirt-users mailing list