Ask Your Question

How to port-forwarding requests coming into a kVM host (say, kvmHost) to one of its guests (say, kvmGuest01) ...

asked 2014-02-13 10:16:48 -0500

nmvega gravatar image

updated 2014-02-13 13:28:26 -0500

mether gravatar image


What is the sequence of firewall-cmd(1) commands (and/or other commands) that I need to run on kvmHost to enable incoming TCP requests to kvmHost:8888 to be forwarded to, say, kvmGuest01:8888? (i.e. to one of it's KVM guests).

Noting that:

  • the active zone is the public zone
  • the host network is
  • the kvmHost IP address is
  • the guest network is
  • and the kvmGuest01 IP address is

I tried the following commands (on kvmHost), which does not work:

root@kvmHost# firewall-cmd --zone=public --add-masquerade
root@kvmHost# firewall-cmd --zone=public --add-forward-port=port=8888:proto=tcp:toaddr=

Perhaps the above commands are necessary, but apparently they are not sufficient. For example, when I do this:

user@kvmHost$ telnet kvmGuest01 8888
Connected to kvmGuest01.
Escape character is '^]'.

The above works as expected. But the following does not work, and is what I need to work (i.e. to forward):

user@kvmHost$ telnet kvmHost 8888
telnet: connect to address Connection refused

Note that the above firewall commands apply to the Fedora kvmHost. Does anything also need to be to done at the KVM networking layer (e.g. virsh commands)?

kvmHost to kvmGuests intra-machine communication always seem so unnecessarily tricky.

Anyway, if someone can help fill in the gaps for me, I'd certainly appreciate it. =:)

Thank you in advance!


edit retag flag offensive close merge delete


Check out this - looks like your problem . There is a difference between forwarding local and remote traffic with iptables, and firewall-cmd (apparently still) does not handle the local part.

marcindulak gravatar imagemarcindulak ( 2014-02-18 05:53:51 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2016-01-27 14:41:32 -0500

Setup libvirt virtual network:

Create a new virtual network. Set network mode as "route" (not NAT) on the external network interface of the virtual host.

Example virtual network config in xml: (see 'virsh help network' or use the Virtual Machine Manager GUI).

<network connections='1'> <name>network1</name> <forward dev='enp6s0' mode='route'> <interface dev='enp6s0'/> </forward> <bridge name='virbr1' stp='on' delay='0'/> <ip address='' netmask=''> <dhcp> <range start='' end=''/> </dhcp> </ip> </network>

Change your virtual guests NIC to this new virtual network.

Setup Port-forward

Setup port forward rules with firewalld on the Virtual Host with 'toaddr' set to the Virtual Guest

firewall-cmd --add-masquerade
firewall-cmd --add-forward-port=port=8888:proto=tcp:toport=8888:toaddr=


You should now be able to hit the guest port 8888 from the virtual host

edit flag offensive delete link more


Any suggestions for NAT networks? I use to use iptables, but the latest CentOS7 update forces firewalld to be running with libvirtd.

morganyang1982 gravatar imagemorganyang1982 ( 2016-03-18 17:22:49 -0500 )edit

Question Tools



Asked: 2014-02-13 10:16:48 -0500

Seen: 7,525 times

Last updated: Feb 13 '14