On Tue, Dec 15, 2015 at 11:45 AM, Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote: > Scott Bronson a écrit : >> iptables -t nat -I POSTROUTING -s 192.168.122.10 -d 192.168.122.10 -p >> tcp -j MASQUERADE > > Why restrict the MASQUERADE to TCP and UDP ? Good question. Editing mistake. I'm actually forwarding different ports to different guests depending on port number: iptables -t nat -A POSTROUTING -s 192.168.122.10/32 -d 192.168.122.10/32 -p udp --dport 53 -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.122.10/32 -d 192.168.122.10/32 -p tcp --dport 53 -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.122.12/32 -d 192.168.122.12/32 -p tcp --dport 25 -j MASQUERADE FWIW, here's the script as it stands today: https://github.com/bronson/libvirt-hook-qemu/tree/hostfix https://github.com/bronson/libvirt-hook-qemu/blob/hostfix/qemu And an example of the rules it inserts: https://github.com/bronson/libvirt-hook-qemu/blob/hostfix/test_qemu.py#L58-L73 It seems a little overcomplex but it's working great. Huge thanks to everyone. - Scott -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html