On Tue, Dec 04, 2007 at 01:40:51PM +0000, Daniel P. Berrange wrote:
On Tue, Dec 04, 2007 at 12:08:15PM +0000, Richard W.M. Jones wrote:
> What do people think about adding port forwarding to network configurations?
A good idea. Mark had forwarding on his original spec, but it was not
implemented at the time.
> At the moment it's unnecessarily difficult to connect to (eg.) sshd port
> or remote desktop port on a virtual machine running under the virtual
> network configuration. If those ports could be mapped to consecutive
> ports on the public (eth0) interface then connecting would be simply a
> matter of knowing the port number.
>
> AFAICS this could be implemented by adding rules such as these to the
> iptables:
>
> iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \
> -j DNAT --to-destination 192.168.122.5
> iptables -A FORWARD -i $EXTIF -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i $INTIF -p tcp -d $EXTIP --dport 80 \
> -j DNAT --to-destination 192.168.122.5
> iptables -A FORWARD -i $INTIF -p tcp -d $EXTIP --dport 80 -j ACCEPT
Oh, the other hard part is figuring out what IP address corresponds to what
virtual domain. We've no easy way to get that info back from dnsmasq at this
time. One option is for libvirt to keep track of IP address <-> VM mappings
and pass this info to dnsmasq via its --dhcp-hostsfile arg. This would also
let us expose ability for user to give fixed mappings in the XML if we wanted.
>
> (rules taken from
>
http://www.ma.utexas.edu/users/stirling/computergeek/server.html)
>
> Rich.
>
> PS. I'm assuming that this is _not_ what the current /network/forward
> XML does? It seems to enable forwarding for a single privileged guest
> as far as I can work out.
Yes, that is correct.
If you have
<forward/>
Then outbound NAT is enabled from the bridge to any physical devic.
If you have
<forward dev='eth0'/>
Then outbound NAT is enabled from the bridge, but only allowed to eth0.
If routing rules would send it elsewhere, its blocked.
If you don't have any, then the network is totally isolated.
In all three of those scenarios inbound port-forwarding is a reasonable
idea.
The hardpart is deciding on the inbound physical NIC to use. The 'default'
network has its rules explicitly setup to not care about physical NICs so
that it works even if NetworkManager switches you between eth0 & eth1.
I guess the user will justhave to add port forard rules as they need...
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules:
http://search.cpan.org/~danberr/ -=|
|=- Projects:
http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
--
Libvir-list mailing list
Libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules:
http://search.cpan.org/~danberr/ -=|
|=- Projects:
http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|