Centos – How to set up port forwarding on a dedicated server running CentOS 5.4 to use Ubuntu 9.0.4


The basic situation that I have is a dedicated server running CentOS 5.4 At the moment I have one VM running Ubuntu 9.0.4. Later on, I will want to add another VM running Windows Server 2003 but at the moment I am focusing on getting Ubuntu up and running.

The Ubuntu installation is working fine but I'm seriously struggling to get port forwarding working so that I can access websites to be hosted on the Ubuntu VM. As a newbie to Linux, I am confused about the relationship between IPTables and VMWare's own port forwarding.

Here's what I've tried so far.

The IP of my server is xxx.xxx.xxx.xxx and the provider support have told me that the subnet mask is, the gateway address is xxx.xxx.xxx.1 and the network address is xxx.xxx.xxx.0. (Those latter two surprise me a bit, I expected private gateway/network address rather than public ones.)

First of all I tried Bridged Networking but had no success at all in communicating with the machine other than through the VMware console. I tried pinging it from the host (using ssh into the host) but no joy; also no Inernet access from the VM. I changed the interfaces configuration from DHCP to Static, using a static address of and setting the gateway to xxx.xxx.xxx.1 as advised by the provider. No real difference, still cannot ping the guest from the host or vice versa and no Internet access from the guest.

Then I tried NAT. The host automatically set the IP address to with a gateway of Now the guest has Internet access out and when I do a VNC to the host and open Firefox with I can see the hosted website okay but I still cannot get into it from outside.

I mentioned that I'm a bit confused about IPtables and VMware port forwarding, what I meant is that I'm not sure whether IPtable forwarding should be set to the IP address of the guest interface ( in this case) or the gateway address .

I have a feeling that I'm missing something very simple here, can anybody tell me what it is?

Best Answer

Here is the magic incantation I needed for my centos host. In short, new iptables rules must be added to achieve two things. One is or forward port 80, and maybe port 443, from VM to host. Two is to allow hopping between public and private subnets. If vmware handles everything and adds the rules automatically, you should find the rules, or their functional equivalent, already in the rule list obtained by "iptables -nvL". If not you must add them.


#In my case,
#The interface for the VM is vnet0. vbr0 bridges eth0 and vnet0. 
#Using vnet0, instead or vbr0, for IF_TUN_0 will not work.

# port forwarding
/sbin/iptables -t nat --flush 
/sbin/iptables -t nat -A PREROUTING  -p tcp -i $IF_ETH_0 -j DNAT -d $IP_PUBLIC_0 --dport 80 --to $IP_PRIVATE_WEB:80 
/sbin/iptables -t nat -A POSTROUTING -p tcp -o $IF_ETH_0 -j SNAT -s $IP_PRIVATE_WEB --to-source $IP_PUBLIC_0 

# the private internal VM address and public-facing host address are on different subnets
# add rules to allow travel between subnets
/sbin/iptables -A FORWARD -i $IF_TUN_0 -o $IF_ETH_0 -j ACCEPT 
/sbin/iptables -A FORWARD -i $IF_ETH_0 -o $IF_TUN_0 -j ACCEPT


# open up ports 40 and 443
/sbin/iptables -A INPUT  -j ACCEPT -p tcp --dport 40  -m state --state NEW
/sbin/iptables -A INPUT  -j ACCEPT -p tcp --dport 443 -m state --state NEW
# allow established traffic to pass
/sbin/iptables -A INPUT  -j ACCEPT -m state --state ESTABLISHED,RELATED