Iptables – KVM – Access from an external computer to the Virtual Machine

iptableskvm-virtualizationlinux-networkingvirshvirtual-machines

I have the following setup:

Notebook (IP: 192.168.1.100)
Host: (IP:192.168.1.129)

Both Notebook and Host are connected to a router (Internet IP:192.168.1.1)¨

The host (Host) has two virtual machine on it (Development, Office). The host since it uses a DHCP server(KVM), assigns the following IP addresses to the VM's

Development: 192.168.122.45
Office: 192.168.122.46

The DHCP server for the host hast the IP address 192.168.122.1

Now I like to access the Development VM from my Notebook (192.168.1.100) on port 5900 to remotely work on this VM.

I used some iptables roules to achieve this on the host, where the VM's are located:

iptables -t nat -I PREROUTING -p tcp -d 192.168.1.129 --dport 5900 -j DNAT --to-destination 192.168.122.45
iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT

Unfortunately I didn't get a connection with Spice to the Development VM.

 spice://192.168.1.129:5900

I edited my VM with

virsh edit VM-Development

and configured like this:

<graphics type='spice' port='5900' autoport='no' listen='127.0.0.1' keymap='de-ch'>
   <listen type='address' address='127.0.0.1'/>

After I made the iptables roules the XML-configuration files contains a new entry:

<video>
    <model type='qxiptables -t nat -I PREROUTING -p tcp -d 192.168.1.129 --dport 5900 -j DNAT --to-destination 192.168.122.45 iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT l' ram='65536' vram='65536' vgamem='16384' heads='1'/>
        <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>

What's wrong? I used several hints, but I can't get it work. I also looked that the router has the port 5900 open.

Best Answer

You can use ssh HOST nc as a proxy:

Host *.saturnin.* *.saturnin bb-*
   ProxyCommand ssh -q -A saturnin.lab.eng.brq.redhat.com nc %h %p
   IdentityFile ~/.ssh/bot_rsa
   User root

Drawback: this requires having entries in /etc/hosts on the host.

Alternatively I am using nc with sed to get local name/IP:

Host tbb-*
   ProxyCommand ssh -q -A saturnin.lab.eng.brq.redhat.com sednc 's/^tbb-//' %h %p
   IdentityFile ~/.ssh/bot_rsa
   User root

Host 192.168.*.cimrman.* 192.168.*.cimrman
   ProxyCommand ssh -q -A cimrman.lab.eng.brq.redhat.com sednc 's/\.cimrman.*//' %h %p
   IdentityFile ~/.ssh/bot_rsa
   User root

sednc looks like this:

#!/bin/bash

if [[ $1 == -h || $1 == --help ]]; then
  cat <<END
sednc - nc to a HOST:PORT with HOST modified by an sed command SEDEXP

USAGE: sednc SEDEXP HOST [PORT]

Example:

    sednc 's/^bb-//' bb-rawhide

This is to be used with ssh to connect to a VMs inside a host. Add line like this to your .ssh/config:

    Host bb-*
        ProxyCommand ssh -q -A HOST sednc 's/^bb-//' %h %p

END
  exit 0
fi

HOST="$2"
TRANSLATED="$(sed -e "$1" <<<"$2")"

#echo "$TRANSLATED">&2
nc "$TRANSLATED" "${3:-"22"}"

Related Solutions

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Iptables – RHEL 6 Having issues forwarding port 80 to port 8080

I would say this is wrong approach. In any case, I wouldn't want to have JBoss (nor tomcat) to manage direct connections other then for test purpose. It's not designed to manage directly outside connections.

Option 1 Have apache web server proxy to 127.0.0.1:8080

You need this somewhere in your apache setup

LoadModule proxy_module  {path-to-modules}/mod_proxy.so
AddModule  mod_proxy.c

Or with apache2

$ sudo a2enmod proxy
$ sudo apache2ctl restart

And in virtual hosts you could have several apps

ProxyPass         /myapp  http://localhost:8080/myapp
ProxyPassReverse  /myapp  http://localhost:8080/myapp

or have a unique one

ProxyPass         /  http://localhost:8080/
ProxyPassReverse  /  http://localhost:8080/

after changing virtual hosts setting, no need to restart apache

$ sudo apache2ctl graceful

will update settings without dropping ongoing connections.

Option 2, using mod_ajp

$ sudo a2enmod proxy_ajp
$ sudo apache2ctl restart

adding this to your virtualhost

ProxyPass /app ajp://backend.example.com:8009/app

Assuming tomcat instance is configured to have ajp connector on port 8009. Check tomcat settings.

http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html

Option 3, using mod_jk http://tomcat.apache.org/connectors-doc/

You'll still have the other issue that is to configure JBoss as to create links to :80, that will be a JBoss setting problem... can't remember where it's set, all I can remember is that it took me a while to find out. I've preferred using the ajp connector so far.

Sorry, I don't have have access to a JBoss setup right now, perhaps someone can point us where is that setting.

Best Answer

Related Solutions

Linux – iptables port forward forwarding

Iptables – RHEL 6 Having issues forwarding port 80 to port 8080

Related Topic