Hello all,
I was told on IRC that I should come here to discuss a recommended change
on the networking page in the wiki.
If you take a look at the "Basic Script" shown here:
http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections
It does two things:
1) Create a DNAT rule in the NAT table of IPTABLES
2) Create a FORWARD rule in the FILTER table of IPTABLES
The FORWARD rule is set up as it ought to be, however, the DNAT rule has
some unintended consequences. I set up a DNAT on port 80, and suddenly, I
couldn't access out on port 80 anymore from my guest machine. However, if I
changed the destination address from "anywhere" to the IP of the host
machine, the problem resolved. So I change the script to as follows.
(Changes are highlighted. For some reason the original script didn't work
using /bin/sh, but it did with /bin/bash, so I changed that too).
*#!/bin/bash*
# used some from advanced script to have multiple ports: use an equal
number of guest and host ports
Guest_name=xxxxxxx
Guest_ipaddr=xxx.xxx.xxx.xx
*Host_ipaddr=xxx.xxx.xxx.xx*
Host_port=( '80' '443' )
Guest_port=( '80' '443' )
length=$(( ${#Host_port[@]} - 1 ))
if [ "${1}" = "${Guest_name}" ]; then
if [ "${2}" = "stopped" -o "${2}" = "reconnect"
]; then
for i in `seq 0 $length`; do
iptables -t nat -D PREROUTING *-d ${Host_ipaddr}* -p tcp
--dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
iptables -D FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state
--state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT
done
fi
if [ "${2}" = "start" -o "${2}" = "reconnect"
]; then
for i in `seq 0 $length`; do
iptables -t nat -A PREROUTING *-d ${Host_ipaddr}* -p tcp
--dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
iptables -I FORWARD 4 -d ${Guest_ipaddr}/32 -p tcp -m state
--state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT
done
fi
fi
Lastly, I should note that I am using Ubuntu 14.04, both for the host and
guest.
I'm also curious as to why this is considered a hack method. It states in
the wiki that "This method is a hack", but it doesn't express why. Many VM
Servers have similar features. I know Virtual Box does, I use the same
feature there. It may not be how I would set up a production server, but
doesn't make it a hack.
Thanks,
BJ