Setting up port forwarding to guests on nat network

[Rhys Ferris <rhys.j.ferris@xxxxxxxxx>]

Hello all,

 

I’m currently trying to figure out how to forward ports to guests that are on a NAT Network. I have followed the directions on https://wiki.libvirt.org/page/Networking under the “Forwarding Incoming Connections” Section and get connection refused when attempting to connect.

 

System: Ubuntu Server 18.04.1

Virsh / LibVirtd Version: 4.0.0

 

Here’s the contents of /etc/libvirt/hooks/qemu

 

#!/bin/bash

 

# IMPORTANT: Change the "VM NAME" string to match your actual VM Name.

# In order to create rules to other VMs, just duplicate the below block and configure

# it accordingly.

if [ "${1}" = "testy" ]; then

 

   # Update the following variables to fit your setup

   GUEST_IP='10.128.10.100'

   GUEST_PORT='22'

   HOST_PORT='2588'

 

   if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then

        /sbin/iptables -D FORWARD -o virbr0 -d  $GUEST_IP -j ACCEPT

        /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT

   fi

   if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then

        /sbin/iptables -I FORWARD -o virbr0 -d  $GUEST_IP -j ACCEPT

        /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT

   fi

fi

 

 

Here’s my network XML

<network>

  <name>olympus</name>

  <uuid>3b0d968c-8166-42f7-8109-e5f0317cab42</uuid>

  <forward mode='nat'>

    <nat>

      <port start='1024' end='65535'/>

    </nat>

  </forward>

  <bridge name='virbr1' stp='on' delay='0'/>

  <mac address='52:54:00:bb:18:6b'/>

  <ip address='10.128.10.1' netmask='255.255.255.0'>

    <dhcp>

      <range start='10.128.10.2' end='10.128.10.254'/>

      <host mac='52:54:00:8d:f5:0c' name='testy' ip='10.128.10.100'/>

    </dhcp>

  </ip>

</network>

 

And here’s the results of iptables -L -vt nat:

BEFORE VM BOOT:

Chain PREROUTING (policy ACCEPT 46615 packets, 6618K bytes)

 pkts bytes target     prot opt in     out     source               destination

 

Chain INPUT (policy ACCEPT 46615 packets, 6618K bytes)

 pkts bytes target     prot opt in     out     source               destination

 

Chain OUTPUT (policy ACCEPT 198K packets, 18M bytes)

 pkts bytes target     prot opt in     out     source               destination

 

Chain POSTROUTING (policy ACCEPT 198K packets, 18M bytes)

 pkts bytes target     prot opt in     out     source               destination

   24  1812 RETURN     all  --  any    any     10.128.10.0/24       base-address.mcast.net/24

    0     0 RETURN     all  --  any    any     10.128.10.0/24       255.255.255.255

   17  1020 MASQUERADE  tcp  --  any    any     10.128.10.0/24      !10.128.10.0/24       masq ports: 1024-65535

   15  1700 MASQUERADE  udp  --  any    any     10.128.10.0/24      !10.128.10.0/24       masq ports: 1024-65535

    0     0 MASQUERADE  all  --  any    any     10.128.10.0/24      !10.128.10.0/24

   22  1666 RETURN     all  --  any    any     192.168.122.0/24     base-address.mcast.net/24

    0     0 RETURN     all  --  any    any     192.168.122.0/24     255.255.255.255

    0     0 MASQUERADE  tcp  --  any    any     192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535

    8  1168 MASQUERADE  udp  --  any    any     192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535

    0     0 MASQUERADE  all  --  any    any     192.168.122.0/24    !192.168.122.0/24

 

 

AFTER VM BOOT

Chain PREROUTING (policy ACCEPT 2 packets, 120 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DNAT       tcp  --  any    any     anywhere             anywhere             tcp dpt:2588 to:10.128.10.100:22

 

Chain INPUT (policy ACCEPT 2 packets, 120 bytes)

 pkts bytes target     prot opt in     out     source               destination

 

Chain OUTPUT (policy ACCEPT 18 packets, 1263 bytes)

 pkts bytes target     prot opt in     out     source               destination

 

Chain POSTROUTING (policy ACCEPT 18 packets, 1263 bytes)

 pkts bytes target     prot opt in     out     source               destination

   24  1812 RETURN     all  --  any    any     10.128.10.0/24       base-address.mcast.net/24

    0     0 RETURN     all  --  any    any     10.128.10.0/24       255.255.255.255

   17  1020 MASQUERADE  tcp  --  any    any     10.128.10.0/24      !10.128.10.0/24       masq ports: 1024-65535

   15  1700 MASQUERADE  udp  --  any    any     10.128.10.0/24      !10.128.10.0/24       masq ports: 1024-65535

    0     0 MASQUERADE  all  --  any    any     10.128.10.0/24      !10.128.10.0/24

   22  1666 RETURN     all  --  any    any     192.168.122.0/24     base-address.mcast.net/24

    0     0 RETURN     all  --  any    any     192.168.122.0/24     255.255.255.255

    0     0 MASQUERADE  tcp  --  any    any     192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535

    8  1168 MASQUERADE  udp  --  any    any     192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535

    0     0 MASQUERADE  all  --  any    any     192.168.122.0/24    !192.168.122.0/24

 

And lastly heres what actually happens on attempt to SSH:

rhys@odin:~$ ssh rhys@172.16.99.170 -p 2258

ssh: connect to host 172.16.99.170 port 2258: Connection refused

rhys@odin:~$

 

The connection refused is instant, not a timeout.

 

I’ve ensured that ufw is disabled.

 

Any help appreciated. I just can’t figure this out.

 

Sent from Mail for Windows 10

 

_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users