[libvirt-users] Setting up port forwarding to guests on nat network

Martin Kletzander mkletzan at redhat.com
Thu Aug 30 12:58:14 UTC 2018


On Wed, Aug 29, 2018 at 06:31:41PM -0400, Rhys Ferris wrote:
>Hello all,
>
>I’m currently trying to figure out how to forward ports to guests that are on a NAT Network. I have followed the directions on https://wiki.libvirt.org/page/Networking under the “Forwarding Incoming Connections” Section and get connection refused when attempting to connect.
>
>System: Ubuntu Server 18.04.1
>Virsh / LibVirtd Version: 4.0.0
>
>Here’s the contents of /etc/libvirt/hooks/qemu
> 
>#!/bin/bash
> 
># IMPORTANT: Change the "VM NAME" string to match your actual VM Name.
># In order to create rules to other VMs, just duplicate the below block and configure
># it accordingly.
>if [ "${1}" = "testy" ]; then
> 
>   # Update the following variables to fit your setup
>   GUEST_IP='10.128.10.100'
>   GUEST_PORT='22'
>   HOST_PORT='2588'
> 
>   if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
>        /sbin/iptables -D FORWARD -o virbr0 -d  $GUEST_IP -j ACCEPT
>        /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
>   fi
>   if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
>        /sbin/iptables -I FORWARD -o virbr0 -d  $GUEST_IP -j ACCEPT
>        /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT

I would do the rules differently, but since it is on the wiki, I'll believe it
works.  You probably checked, but just to make sure, what is the output of
`sysctl net.ipv4.ip_forward` ?

>   fi
>fi
>
>
>Here’s my network XML
><network>
>  <name>olympus</name>
>  <uuid>3b0d968c-8166-42f7-8109-e5f0317cab42</uuid>
>  <forward mode='nat'>
>    <nat>
>      <port start='1024' end='65535'/>
>    </nat>
>  </forward>
>  <bridge name='virbr1' stp='on' delay='0'/>
>  <mac address='52:54:00:bb:18:6b'/>
>  <ip address='10.128.10.1' netmask='255.255.255.0'>
>    <dhcp>
>      <range start='10.128.10.2' end='10.128.10.254'/>
>      <host mac='52:54:00:8d:f5:0c' name='testy' ip='10.128.10.100'/>
>    </dhcp>
>  </ip>
></network>
>
>And here’s the results of iptables -L -vt nat:
>BEFORE VM BOOT:
>Chain PREROUTING (policy ACCEPT 46615 packets, 6618K bytes)
> pkts bytes target     prot opt in     out     source               destination
> 
>Chain INPUT (policy ACCEPT 46615 packets, 6618K bytes)
> pkts bytes target     prot opt in     out     source               destination
> 
>Chain OUTPUT (policy ACCEPT 198K packets, 18M bytes)
> pkts bytes target     prot opt in     out     source               destination
> 
>Chain POSTROUTING (policy ACCEPT 198K packets, 18M bytes)
> pkts bytes target     prot opt in     out     source               destination
>   24  1812 RETURN     all  --  any    any     10.128.10.0/24       base-address.mcast.net/24
>    0     0 RETURN     all  --  any    any     10.128.10.0/24       255.255.255.255
>   17  1020 MASQUERADE  tcp  --  any    any     10.128.10.0/24      !10.128.10.0/24       masq ports: 1024-65535
>   15  1700 MASQUERADE  udp  --  any    any     10.128.10.0/24      !10.128.10.0/24       masq ports: 1024-65535
>    0     0 MASQUERADE  all  --  any    any     10.128.10.0/24      !10.128.10.0/24
>   22  1666 RETURN     all  --  any    any     192.168.122.0/24     base-address.mcast.net/24
>    0     0 RETURN     all  --  any    any     192.168.122.0/24     255.255.255.255
>    0     0 MASQUERADE  tcp  --  any    any     192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
>    8  1168 MASQUERADE  udp  --  any    any     192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
>    0     0 MASQUERADE  all  --  any    any     192.168.122.0/24    !192.168.122.0/24
> 
> 
>AFTER VM BOOT
>Chain PREROUTING (policy ACCEPT 2 packets, 120 bytes)
> pkts bytes target     prot opt in     out     source               destination
>    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             tcp dpt:2588 to:10.128.10.100:22
> 

The out:any and

>Chain INPUT (policy ACCEPT 2 packets, 120 bytes)
> pkts bytes target     prot opt in     out     source               destination
> 
>Chain OUTPUT (policy ACCEPT 18 packets, 1263 bytes)
> pkts bytes target     prot opt in     out     source               destination
> 
>Chain POSTROUTING (policy ACCEPT 18 packets, 1263 bytes)
> pkts bytes target     prot opt in     out     source               destination
>   24  1812 RETURN     all  --  any    any     10.128.10.0/24       base-address.mcast.net/24
>    0     0 RETURN     all  --  any    any     10.128.10.0/24       255.255.255.255
>   17  1020 MASQUERADE  tcp  --  any    any     10.128.10.0/24      !10.128.10.0/24       masq ports: 1024-65535
>   15  1700 MASQUERADE  udp  --  any    any     10.128.10.0/24      !10.128.10.0/24       masq ports: 1024-65535
>    0     0 MASQUERADE  all  --  any    any     10.128.10.0/24      !10.128.10.0/24
>   22  1666 RETURN     all  --  any    any     192.168.122.0/24     base-address.mcast.net/24
>    0     0 RETURN     all  --  any    any     192.168.122.0/24     255.255.255.255
>    0     0 MASQUERADE  tcp  --  any    any     192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
>    8  1168 MASQUERADE  udp  --  any    any     192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
>    0     0 MASQUERADE  all  --  any    any     192.168.122.0/24    !192.168.122.0/24
>
>And lastly heres what actually happens on attempt to SSH:
>rhys at odin:~$ ssh rhys at 172.16.99.170 -p 2258
>ssh: connect to host 172.16.99.170 port 2258: Connection refused
>rhys at odin:~$
>
>The connection refused is instant, not a timeout.
>
>I’ve ensured that ufw is disabled.
>
>Any help appreciated. I just can’t figure this out.
>
>Sent from Mail for Windows 10
>

>_______________________________________________
>libvirt-users mailing list
>libvirt-users at redhat.com
>https://www.redhat.com/mailman/listinfo/libvirt-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20180830/04c698f6/attachment.sig>


More information about the libvirt-users mailing list