Ask Your Question
1

How to port-forwarding requests coming into a kVM host (say, kvmHost) to one of its guests (say, kvmGuest01) ...

asked 2014-02-13 10:16:48 -0500

nmvega gravatar image

updated 2014-02-13 13:28:26 -0500

mether gravatar image

Hello:

What is the sequence of firewall-cmd(1) commands (and/or other commands) that I need to run on kvmHost to enable incoming TCP requests to kvmHost:8888 to be forwarded to, say, kvmGuest01:8888? (i.e. to one of it's KVM guests).

Noting that:

  • the active zone is the public zone
  • the host network is 192.168.0.0/24
  • the kvmHost IP address is 192.168.0.15
  • the guest network is 192.168.122.0/24
  • and the kvmGuest01 IP address is 192.168.122.180

I tried the following commands (on kvmHost), which does not work:

root@kvmHost# firewall-cmd --zone=public --add-masquerade
root@kvmHost# firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toaddr=192.168.122.180

Perhaps the above commands are necessary, but apparently they are not sufficient. For example, when I do this:

user@kvmHost$ telnet kvmGuest01 8888
Trying 192.168.122.180...
Connected to kvmGuest01.
Escape character is '^]'.

The above works as expected. But the following does not work, and is what I need to work (i.e. to forward):

user@kvmHost$ telnet kvmHost 8888
Trying 192.168.0.15...
telnet: connect to address 192.168.0.15: Connection refused

Note that the above firewall commands apply to the Fedora kvmHost. Does anything also need to be to done at the KVM networking layer (e.g. virsh commands)?

kvmHost to kvmGuests intra-machine communication always seem so unnecessarily tricky.

Anyway, if someone can help fill in the gaps for me, I'd certainly appreciate it. =:)

Thank you in advance!

NMV

edit retag flag offensive close merge delete

Comments

Check out this - looks like your problem https://ask.fedoraproject.org/en/ques... . There is a difference between forwarding local and remote traffic with iptables, and firewall-cmd (apparently still) does not handle the local part.

marcindulak gravatar imagemarcindulak ( 2014-02-18 05:53:51 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2016-01-27 14:41:32 -0500

Setup libvirt virtual network:

Create a new virtual network. Set network mode as "route" (not NAT) on the external network interface of the virtual host.

Example virtual network config in xml: (see 'virsh help network' or use the Virtual Machine Manager GUI).

<network connections='1'> <name>network1</name> <forward dev='enp6s0' mode='route'> <interface dev='enp6s0'/> </forward> <bridge name='virbr1' stp='on' delay='0'/> <ip address='192.168.201.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.201.128' end='192.168.201.254'/> </dhcp> </ip> </network>

Change your virtual guests NIC to this new virtual network.

Setup Port-forward

Setup port forward rules with firewalld on the Virtual Host with 'toaddr' set to the Virtual Guest

firewall-cmd --add-masquerade
firewall-cmd --add-forward-port=port=8888:proto=tcp:toport=8888:toaddr=192.168.122.180

Results

You should now be able to hit the guest port 8888 from the virtual host 192.168.0.15

edit flag offensive delete link more

Comments

Any suggestions for NAT networks? I use to use iptables, but the latest CentOS7 update forces firewalld to be running with libvirtd.

morganyang1982 gravatar imagemorganyang1982 ( 2016-03-18 17:22:49 -0500 )edit

Question Tools

2 followers

Stats

Asked: 2014-02-13 10:16:48 -0500

Seen: 7,525 times

Last updated: Feb 13 '14