Hello all,

I was told on IRC that I should come here to discuss a recommended change on the networking page in the wiki.

If you take a look at the "Basic Script" shown here: http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections

It does two things:
1) Create a DNAT rule in the NAT table of IPTABLES
2) Create a FORWARD rule in the FILTER table of IPTABLES

The FORWARD rule is set up as it ought to be, however, the DNAT rule has some unintended consequences. I set up a DNAT on port 80, and suddenly, I couldn't access out on port 80 anymore from my guest machine. However, if I changed the destination address from "anywhere" to the IP of the host machine, the problem resolved. So I change the script to as follows. (Changes are highlighted. For some reason the original script didn't work using /bin/sh, but it did with /bin/bash, so I changed that too).

#!/bin/bash
# used some from advanced script to have multiple ports: use an equal number of guest and host ports

Guest_name=xxxxxxx
Guest_ipaddr=xxx.xxx.xxx.xx
Host_ipaddr=xxx.xxx.xxx.xx
Host_port=( '80' '443' )
Guest_port=( '80' '443' )
length=$(( ${#Host_port[@]} - 1 ))
if [ "${1}" = "${Guest_name}" ]; then
   if [ "${2}" = "stopped" -o "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               iptables -t nat -D PREROUTING -d ${Host_ipaddr} -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -D FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT
       done
   fi
   if [ "${2}" = "start" -o "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               iptables -t nat -A PREROUTING -d ${Host_ipaddr} -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -I FORWARD 4 -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT
       done
   fi
fi


Lastly, I should note that I am using Ubuntu 14.04, both for the host and guest. 

I'm also curious as to why this is considered a hack method. It states in the wiki that "This method is a hack", but it doesn't express why. Many VM Servers have similar features. I know Virtual Box does, I use the same feature there. It may not be how I would set up a production server, but doesn't make it a hack.

Thanks,
BJ