I currently have a few KVM Guests on a dedicated server with bridged networking (this works) and i can successfully ping the outside ips i assign via ifconfig (in the guest).
However, due to the fact i only have 5 public ipv4 ip addresses, i would like to port forward services like so:
hostip:port -> kvm_guest:port
UPDATE
I found out KVM comes with a "default" NAT interface, so added the virtual NIC to the Guest virsh configuration then configured it in the Guest, it has the ip address:
192.168.122.112
I can successfully ping 192.168.122.112 and access all ports on 192.168.122.112 from the KVM Host, so i tried to port forward like so:
iptables -t nat -I PREROUTING -p tcp --dport 5222 -j DNAT --to-destination 192.168.122.112:2521
iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
telnet KVM_HOST_IP 5222
just hangs on "trying"
telnet 192.168.122.112 2521
works
[root@node1 ~]# tcpdump port 5222
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:43:47.216181 IP 1.152.245.247.51183 > null.xmpp-client: Flags [S], seq 1183303931, win 65535, options [mss 1400,nop,wscale 3,nop,nop,TS val 445777813 ecr 0,sackOK,eol], length 0
23:43:48.315747 IP 1.152.245.247.51183 > null.xmpp-client: Flags [S], seq 1183303931, win 65535, options [mss 1400,nop,wscale 3,nop,nop,TS val 445778912 ecr 0,sackOK,eol], length 0
23:43:49.415606 IP 1.152.245.247.51183 > null.xmpp-client: Flags [S], seq 1183303931, win 65535, options [mss 1400,nop,wscale 3,nop,nop,TS val 445780010 ecr 0,sackOK,eol], length 0
7 packets received by filter
0 packets dropped by kernel
[root@node1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@node1 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 976 packets, 57008 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
11 640 ACCEPT all -- * * 0.0.0.0/0 192.168.122.0/24 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 673 packets, 40901 bytes)
pkts bytes target prot opt in out source destination
[root@node1 ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 549 packets, 34067 bytes)
pkts bytes target prot opt in out source destination
1 64 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222 to:192.168.122.112:2521
3 192 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222 to:192.168.122.112:2521
1 64 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5225 to:192.168.122.112:2521
1 64 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222 to:192.168.122.112:2521
Chain POSTROUTING (policy ACCEPT 45 packets, 3169 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 44 packets, 3105 bytes)
pkts bytes target prot opt in out source destination
All help is appreciated.
Thanks.
Best Answer
if you run kvm in this way:
you will become a new interface (in root host) named
tapX
(where X is a number). This interface is normally configured by default via a script located in somewhere in/etc
(/etc/kvm/kvm-ifup
,/etc/qemu-ifup
or else) you could change them with:kvm -drive... -net nic -net tap,script=mynatbrigescript
...From there, this interface have to be configured on each points:
and in the client os:
so if you hit (on root host), you will see a new local network (assuming your public ip is 1.2.3.4):
From there, you must be able to ping to 192.168.124.2 from the root host. You could then
DNAT
your incomings tcp packets with:and
SNAT
the answer packets in the other direction:now if for the root node, this work:
Then from your localdomain, this must do the same:
At all, your root host have to forward ip packets, this could be verified by:
or
This could be set by:
or