If the server is behind a nat firewall/router, you have to do more than open a port in the firewall. You have to forward the port to the server.
So, if your router's external address is: 12.34.56.78
And your server's internal address is 192.168.1.2
Then you need to forward port 5900 on your router to 192.168.1.2:5900 which is your server.
Your correct in that 12.34.56.78 is not responding to connections. It's filtering all incoming connections.
Use a bridge on your dom0 (e.g. KVM Host) WAN interface. This requires installing bridge-utils
package. Since this is Debian-based distro, you may configure it in /etc/network/interfaces
:
iface eth0 inet manual
auto br_wan
iface br_wan inet dhcp
# Assuming DHCP to get address, otherwise migrate all WAN connection options here
#address 192.168.122.0
bridge_ports eth0 tap_guest1
bridge_stp off
bridge_maxwait 0
bridge_fd 0
pre-up ip tuntap add dev tap_guest1 user guest1 mode tap
# This command is required if your ISP allocates static IPs depending on MAC address
# You shouldn't use this but might be handy some time
#pre-up sysctl -q -w net/ipv4/conf/tap_guest1/proxy_arp=1
post-down ip tuntap del tap_guest1 mode tap
Pre-up commands set up TAP interface to connect your KVM guest to a bridge. Note that this setup allows to run kvm from non-privileged user guest1. Note that setting net.ipv4.ip_forward = 1
with sysctl might be usefull as well.
I have used ip tuntap
command from iproute2
package. It's not yet documented in the Debian package but soon will be available in upstream's manual page. Since this package is installed on every Debian-based server, you won't need to install uml-utilities
or openvpn
package to just create these interfaces.
This approach sure lacks some elegance to manage lots of tap interfaces, because you'll need to create similar pre-up and post-down lines as for tap_guest1
interface. This can be fixed by writing additional scripts in /etc/network/pre-up.d
and /etc/network/post-down.d
. It is also a problem if you want to reconfigure br_wan
interface with ifdown/ifup scripts while KVM guests are still running — you'll need either to remove all interfaces except eth0
from bridge configuration and detach them from bridge manually (don't forget to attach them back after bridge reconfiguration then) or shutdown all KVM instances running on a bridge.
Another way, perhaps more clean, is to write custom ifup script for KVM itself and use it in script
option for your NIC. You can get an example in /etc/qemu-ifup
. See kvm manual page for details.
Then you can run your KVM box like this:
kvm -net nic,model=virtio,macaddr=12:34:56:78:9a:bc \
-net tap,ifname=tap_guest1,script=no,downscript=no \
-boot c -nographic -display none -daemonize \
guest1-drive.qcow2
Setting several IP addresses on one interface for your KVM guest can be done manually with command
ip address add aaa.bbb.ccc.101/24 dev eth0
Or permanently in /etc/network/interfaces
like this:
auto eth0 eth0:1
iface eth0 inet static
address aaa.bbb.ccc.100
network aaa.bbb.ccc.0
netmask 255.255.255.0
broadcast aaa.bbb.ccc.255
gateway aaa.bbb.ccc.1
iface eth0:1 inet static
address aaa.bbb.ccc.101
network aaa.bbb.ccc.0
netmask 255.255.255.0
broadcast aaa.bbb.ccc.255
gateway aaa.bbb.ccc.1
Note that if your datacenter/provider does not expect you to reveal additional boxes on the same net he might not configure them and they will be unavailable. In this case you might want to create internal bridge and use iptables to forward packets between your WAN interface and this bridge using DNAT and SNAT. Assuming your local virtual bridge network is 10.0.0.0/8, your guest1 is 10.0.0.2 you'll need this:
iptables -t nat -A PREROUTING --dst aaa.bbb.ccc.100 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2
iptables -t nat -A PREROUTING --dst aaa.bbb.ccc.101 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2
...
iptables -t nat -A POSTROUTING -p tcp --dst 10.0.0.2 -j SNAT --to-source aaa.bbb.ccc.100
Note that you'll need as much DNAT commands as external IPs per KVM guest you have, but only one SNAT rule to give access to the internet. Also you can allow only HTTP/HTTPS/SSH traffic by allowing only desired ports. If you omit the --dport
statement then all ports will be forwarded. Your KVM guest should have static network settings with KVM host as default gateway unless you're willing to host DHCP server.
Best Answer
Since you're using
libvirt
, you can just ask it!(my particular correlation of name to VNC display port is due to the use of Open Nebula)
EDIT: Nowadays, you can use domdisplay to get the URI of the display whether it's VNC or Spice:
Here's a one-liner to execute this for all running guests at once:
Also made it into a function that sorts output by port number: