Hi Libvirt Developers The link at http://wiki.libvirt.org/page/Networking under "Forwarding Incoming Connections " for the advanced version of the script is not working. We experienced problems with the script in that there is no interface specified and although the port forwarding worked, it was too global and caused a loop when we forwarded port 80 to a guest machine that required outbound port 80 connectivity. The advanced script might (and probably does) resolve the problems that we experienced but as it is not available here is our script in the hope that it may be useful to others. Start of script: #!/bin/sh # derived from script at "http://wiki.libvirt.org/page/Networking" debugfile=/dev/null # set debugfile to desired path and uncomment to debug #debugfile=/mydebugpath/libvirt_hooks_qemu.debug # ${1} AND ${2} ARE PASSED TO THIS SCRIPT BY LIBVIRTD VIR_DOMAIN=${1} ACTION=${2} echo -e "VIR_DOMAIN="${VIR_DOMAIN}'\n'"ACTION="${ACTION}'\n' > ${debugfile} function setiptables () { local Host_interface=${1} local Guest_name=${2} local Guest_ipaddr=${3} local -a Host_port=("${!4}") local -a Guest_port=("${!5}") echo -e "Host_interface="${Host_interface}'\n'"Guest_name="${Guest_name}'\n'"Guest_ipaddr="${Guest_ipaddr}'\n'"Host_port= ${Host_port[@]}"'\n'"Guest_port=${Guest_port[@]}"'\n' >> ${debugfile} length=$(( ${#Host_port[@]} - 1 )) if [ "${VIR_DOMAIN}" = "${Guest_name}" ]; then if [ "${ACTION}" = "stopped" -o "${ACTION}" = "reconnect" ]; then for i in `seq 0 $length`; do PrerouteCmd="iptables -t nat -D PREROUTING -p tcp --dport ${Host_port[$i]} -j DNAT -i ${Host_interface} --to ${Guest_ipaddr}:${Guest_port[$i]}" ForwardCmd="iptables -D FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT" sh -c "${PrerouteCmd}" sh -c "${ForwardCmd}" echo -e ${PrerouteCmd}'\n'${ForwardCmd}'\n' >> ${debugfile} done fi if [ "${ACTION}" = "start" -o "${ACTION}" = "reconnect" ]; then for i in `seq 0 $length`; do PrerouteCmd="iptables -t nat -A PREROUTING -p tcp --dport ${Host_port[$i]} -j DNAT -i ${Host_interface} --to ${Guest_ipaddr}:${Guest_port[$i]}" ForwardCmd="iptables -I FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT" sh -c "${PrerouteCmd}" sh -c "${ForwardCmd}" echo -e ${PrerouteCmd}'\n'${ForwardCmd}'\n' >> ${debugfile} done fi echo -e '\n' >> ${debugfile} fi return 0 } # ********************************** # Guest1 * # ********************************** Guest=Guest1 Guest_ip=192.168.122.xxx # Forwarding from ethernet Interface eno1 interface=eno1 # This will route port 80 on ethernet interface eno1 to Guest IP address 192.168.122.xxx port 8080 # This will route port 443 on ethernet interface eno1 to Guest IP address 192.168.122.xxx port 443 # use an equal number of guest and host ports Host_port_array=( '80' '443' ) Guest_port_array=( '8080' '443' ) setiptables ${interface} ${Guest} ${Guest_ip} Host_port_array[@] Guest_port_array[@] # Forwarding from vpn interface tun0 (example for openvpn connection) interface=tun0 # This will route port 3395 on vpn interface tun0 to Guest IP address 192.168.122.xxx port 3395 # use an equal number of guest and host ports Host_port_array=( '3395' ) Guest_port_array=( '3395' ) setiptables ${interface} ${Guest} ${Guest_ip} Host_port_array[@] Guest_port_array[@] # Multiple guest machines can be configured in a similar way # ********* end of script ***********