2012/8/13 Mauricio Tavares <raubvogel@xxxxxxxxx>: > Easy question here: I have a test network that looks like this > (apologies for my lack of ascii skills): > > [hostc]---------------[Firewall]192.168.42.1 (EXTIF: eth0) /10.0.0.1 > (INTIF: eth1) > 192.168.42.10 (wan) |(lan) > | > +-------------[hosta] 10.0.0.10 (port 4242) > | > +-------------[hostb] 10.0.0.20 (port 2424) > > All of those machines are vms I created using virsh/libvirt. In fact, > the "wan" is a network that exists only inside virsh. "lan" is a vlan > my desktop also belongs to; I did that so I could always connect even > when I screwed the firewall up. So, using iptables I created a little > set of rules to forward port 2424 in 192.168.42.1 to 10.0.0.20:2424 : > > > $IPTABLES -t nat -A PREROUTING --dst 192.168.42.1 -p tcp --dport 2424 > -m comment --comment "test" -j DNAT --to-destination 10.0.0.20:2424 > > cat >> /etc/sysctl.conf << 'EOF' > # Custom Settings for Forwarding and OpenSwan > net.ipv4.ip_forward=1 > net.ipv4.conf.all.accept_redirects = 0 > net.ipv4.conf.default.accept_redirects = 0 > net.ipv4.conf.all.send_redirects = 0 > net.ipv4.conf.default.send_redirects = 0 > EOF > sysctl -p > > So, in 10.0.0.20 I do "nc -l 2424". But when I go to hostc and then > try to do "nc -v 192.168.41.1 2424", connection does not take place. > Thinking I've done something wrong, I replicated the very same setup > in virtualbox down to the network layout. It works. So, I went to the > firewall vm and replaced the network interface from virtio to e1000. > Still did not work. What am I missing here? > you could try this rule below to replace your " $IPTABLES -A FORWARD -o $INTIF -i $EXTIF -j ACCEPT" iptables -I FORWARD -i br0 -o virbr0 -p tcp -m state --state NEW -j ACCEPT NB,i use the "-I " to insert this rule in front of all other rules, _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
