[libvirt-users] Setting up port forwarding to guests on nat network
Rhys Ferris
rhys.j.ferris at gmail.com
Thu Aug 30 22:50:38 UTC 2018
Thanks for the reply!
output:
net.ipv4.ip_forward = 1
What do you mean "The out:any and"
Anywhere else I can look as to why the connection isn't going?
Do I need some kind of listener at that port on the host? I'm not even
seeing the packet count on the prerouting chain increase when the
connection attempts are made.
On Thu, Aug 30, 2018 at 8:58 AM Martin Kletzander <mkletzan at redhat.com>
wrote:
> On Wed, Aug 29, 2018 at 06:31:41PM -0400, Rhys Ferris wrote:
> >Hello all,
> >
> >I’m currently trying to figure out how to forward ports to guests that
> are on a NAT Network. I have followed the directions on
> https://wiki.libvirt.org/page/Networking under the “Forwarding Incoming
> Connections” Section and get connection refused when attempting to connect.
> >
> >System: Ubuntu Server 18.04.1
> >Virsh / LibVirtd Version: 4.0.0
> >
> >Here’s the contents of /etc/libvirt/hooks/qemu
> >
> >#!/bin/bash
> >
> ># IMPORTANT: Change the "VM NAME" string to match your actual VM Name.
> ># In order to create rules to other VMs, just duplicate the below block
> and configure
> ># it accordingly.
> >if [ "${1}" = "testy" ]; then
> >
> > # Update the following variables to fit your setup
> > GUEST_IP='10.128.10.100'
> > GUEST_PORT='22'
> > HOST_PORT='2588'
> >
> > if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
> > /sbin/iptables -D FORWARD -o virbr0 -d $GUEST_IP -j ACCEPT
> > /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j
> DNAT --to $GUEST_IP:$GUEST_PORT
> > fi
> > if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
> > /sbin/iptables -I FORWARD -o virbr0 -d $GUEST_IP -j ACCEPT
> > /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j
> DNAT --to $GUEST_IP:$GUEST_PORT
>
> I would do the rules differently, but since it is on the wiki, I'll
> believe it
> works. You probably checked, but just to make sure, what is the output of
> `sysctl net.ipv4.ip_forward` ?
>
> > fi
> >fi
> >
> >
> >Here’s my network XML
> ><network>
> > <name>olympus</name>
> > <uuid>3b0d968c-8166-42f7-8109-e5f0317cab42</uuid>
> > <forward mode='nat'>
> > <nat>
> > <port start='1024' end='65535'/>
> > </nat>
> > </forward>
> > <bridge name='virbr1' stp='on' delay='0'/>
> > <mac address='52:54:00:bb:18:6b'/>
> > <ip address='10.128.10.1' netmask='255.255.255.0'>
> > <dhcp>
> > <range start='10.128.10.2' end='10.128.10.254'/>
> > <host mac='52:54:00:8d:f5:0c' name='testy' ip='10.128.10.100'/>
> > </dhcp>
> > </ip>
> ></network>
> >
> >And here’s the results of iptables -L -vt nat:
> >BEFORE VM BOOT:
> >Chain PREROUTING (policy ACCEPT 46615 packets, 6618K bytes)
> > pkts bytes target prot opt in out source
> destination
> >
> >Chain INPUT (policy ACCEPT 46615 packets, 6618K bytes)
> > pkts bytes target prot opt in out source
> destination
> >
> >Chain OUTPUT (policy ACCEPT 198K packets, 18M bytes)
> > pkts bytes target prot opt in out source
> destination
> >
> >Chain POSTROUTING (policy ACCEPT 198K packets, 18M bytes)
> > pkts bytes target prot opt in out source
> destination
> > 24 1812 RETURN all -- any any 10.128.10.0/24
> base-address.mcast.net/24
> > 0 0 RETURN all -- any any 10.128.10.0/24
> 255.255.255.255
> > 17 1020 MASQUERADE tcp -- any any 10.128.10.0/24 !
> 10.128.10.0/24 masq ports: 1024-65535
> > 15 1700 MASQUERADE udp -- any any 10.128.10.0/24 !
> 10.128.10.0/24 masq ports: 1024-65535
> > 0 0 MASQUERADE all -- any any 10.128.10.0/24 !
> 10.128.10.0/24
> > 22 1666 RETURN all -- any any 192.168.122.0/24
> base-address.mcast.net/24
> > 0 0 RETURN all -- any any 192.168.122.0/24
> 255.255.255.255
> > 0 0 MASQUERADE tcp -- any any 192.168.122.0/24 !
> 192.168.122.0/24 masq ports: 1024-65535
> > 8 1168 MASQUERADE udp -- any any 192.168.122.0/24 !
> 192.168.122.0/24 masq ports: 1024-65535
> > 0 0 MASQUERADE all -- any any 192.168.122.0/24 !
> 192.168.122.0/24
> >
> >
> >AFTER VM BOOT
> >Chain PREROUTING (policy ACCEPT 2 packets, 120 bytes)
> > pkts bytes target prot opt in out source
> destination
> > 0 0 DNAT tcp -- any any anywhere
> anywhere tcp dpt:2588 to:10.128.10.100:22
> >
>
> The out:any and
>
> >Chain INPUT (policy ACCEPT 2 packets, 120 bytes)
> > pkts bytes target prot opt in out source
> destination
> >
> >Chain OUTPUT (policy ACCEPT 18 packets, 1263 bytes)
> > pkts bytes target prot opt in out source
> destination
> >
> >Chain POSTROUTING (policy ACCEPT 18 packets, 1263 bytes)
> > pkts bytes target prot opt in out source
> destination
> > 24 1812 RETURN all -- any any 10.128.10.0/24
> base-address.mcast.net/24
> > 0 0 RETURN all -- any any 10.128.10.0/24
> 255.255.255.255
> > 17 1020 MASQUERADE tcp -- any any 10.128.10.0/24 !
> 10.128.10.0/24 masq ports: 1024-65535
> > 15 1700 MASQUERADE udp -- any any 10.128.10.0/24 !
> 10.128.10.0/24 masq ports: 1024-65535
> > 0 0 MASQUERADE all -- any any 10.128.10.0/24 !
> 10.128.10.0/24
> > 22 1666 RETURN all -- any any 192.168.122.0/24
> base-address.mcast.net/24
> > 0 0 RETURN all -- any any 192.168.122.0/24
> 255.255.255.255
> > 0 0 MASQUERADE tcp -- any any 192.168.122.0/24 !
> 192.168.122.0/24 masq ports: 1024-65535
> > 8 1168 MASQUERADE udp -- any any 192.168.122.0/24 !
> 192.168.122.0/24 masq ports: 1024-65535
> > 0 0 MASQUERADE all -- any any 192.168.122.0/24 !
> 192.168.122.0/24
> >
> >And lastly heres what actually happens on attempt to SSH:
> >rhys at odin:~$ ssh rhys at 172.16.99.170 -p 2258
> >ssh: connect to host 172.16.99.170 port 2258: Connection refused
> >rhys at odin:~$
> >
> >The connection refused is instant, not a timeout.
> >
> >I’ve ensured that ufw is disabled.
> >
> >Any help appreciated. I just can’t figure this out.
> >
> >Sent from Mail for Windows 10
> >
>
> >_______________________________________________
> >libvirt-users mailing list
> >libvirt-users at redhat.com
> >https://www.redhat.com/mailman/listinfo/libvirt-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20180830/08d53ad2/attachment.htm>
More information about the libvirt-users
mailing list