How to setup port forward

Question

I have a VM that I manage with libvirt and it has a service running on port 9100. I want to forward the VM's port to the host, so that if I go to localhost:9100, I will be redirected to the VM.

I tried both https://wiki.libvirt.org/page/Networking and the following iptables rules, but neither worked.

iptables -t nat -I PREROUTING -p tcp -d 127.0.0.1 --dport 9100 -j DNAT --to-destination 192.168.122.138:9100
iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT

Here is some more information

$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 04:d4:c4:55:18:69 brd ff:ff:ff:ff:ff:ff
3: wlo1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DORMANT group default qlen 1000
    link/ether fc:77:74:c8:8e:76 brd ff:ff:ff:ff:ff:ff
4: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 52:54:00:0c:2c:a9 brd ff:ff:ff:ff:ff:ff
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN mode DEFAULT group default qlen 1000
    link/ether 52:54:00:0c:2c:a9 brd ff:ff:ff:ff:ff:ff
6: br-170b28482f3f: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 02:42:22:bc:33:d1 brd ff:ff:ff:ff:ff:ff
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:6c:29:bc:7e brd ff:ff:ff:ff:ff:ff
9: veth38ec9fc@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-170b28482f3f state UP mode DEFAULT group default 
    link/ether d2:1b:07:3c:85:5e brd ff:ff:ff:ff:ff:ff link-netnsid 0
11: veth602c005@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-170b28482f3f state UP mode DEFAULT group default 
    link/ether 8a:b0:56:bf:47:db brd ff:ff:ff:ff:ff:ff link-netnsid 1
12: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr0 state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether fe:54:00:c4:ca:05 brd ff:ff:ff:ff:ff:ff

$ virsh net-dumpxml default
<network>
  <name>default</name>
  <uuid>f16acad2-01b5-473b-96ae-0c2c17a9717b</uuid>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:0c:2c:a9'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
    </dhcp>
  </ip>
</network>

Answer 1

Let's suppose for example that we need to forward the forward incoming connections to port 9867 on the host machine to port 22 on the guest machine. below are the needed rules to achieve that:

# connections from outside

$ iptables -I FORWARD -o virbr1 -d  192.168.111.36 -j ACCEPT
$ iptables -t nat -I PREROUTING -p tcp --dport 9867 -j DNAT --to 192.168.111.36:22

# Masquerade local subnet
$ iptables -I FORWARD -o virbr1 -d  192.168.111.36 -j ACCEPT
$ iptables -t nat -A POSTROUTING -s 192.168.111.0/24 -j MASQUERADE
$ iptables -A FORWARD -o virbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ iptables -A FORWARD -i virbr1 -o eth0 -j ACCEPT
$ iptables -A FORWARD -i virbr1 -o lo -j ACCEPT

where virbr1 is the interface in 192.168.111.0/24 subnet and eth0 is interface with a public IP address.

Now that we have set up port forwarding, we can save this to our permanent rule set and load the ruleset: $ service netfilter-persistent save
$ service netfilter-persistent reload

Now, test that your VM is accessible through your firewall's public IP address:

$ ssh user@PUBLIC_IP -p 9867