0

I am currently running a Xen Hypervisor underneath Ubuntu 14.04. On the host machine I am running a guest VM.

From what I understand, In order to be able to receive incoming connections on the virtual machine, I have to first write a hook that edits my iptables when the guest is initiated.

I use Virtual Machine Manager as a GUI to initiate my VMs. the hook i have set up is located /etc/libvirt/hooks/qemu I am trying to open TCP/UDP port 6969 and UDP port 17 for my VM labeled "Windows"

    #!/bin/bash
    # used some from advanced script to have multiple ports: use an equal number of$

    # Update the following variables to fit your setup
    Guest_name=Windows
    Guest_ipaddr=192.168.122.99
    Host_ipaddr=192.168.122.1
    Host_port=(  '6969' '17' )
    Guest_port=( '6969' '17' )

    length=$(( ${#Host_port[@]} - 1 ))
    if [ "${1}" = "${Guest_name}" ]; then
       if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
           for i in `seq 0 $length`; do
                   iptables -t nat -D PREROUTING -d ${Host_ipaddr} -p tcp --dport $$
                   iptables -D FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --stat$
           done
       fi
       if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
           for i in `seq 0 $length`; do
                   iptables -t nat -A PREROUTING -d ${Host_ipaddr} -p tcp --dport $$
                   iptables -I FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --stat$
           done
       fi
    fi

ifconfig is where I got the info

    $ ifconfig
    eth0      Link encap:Ethernet  HWaddr d0:50:99:67:4a:b7  
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:17367 errors:0 dropped:6 overruns:0 frame:0
              TX packets:13439 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:3494857 (3.4 MB)  TX bytes:2707716 (2.7 MB)

    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:65536  Metric:1
              RX packets:3774 errors:0 dropped:0 overruns:0 frame:0
              TX packets:3774 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:1303572 (1.3 MB)  TX bytes:1303572 (1.3 MB)

    vif1.0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff  
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:32 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

    vif1.0-emu Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff  
              inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1613 errors:0 dropped:0 overruns:0 frame:0
              TX packets:3307 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:500 
              RX bytes:508517 (508.5 KB)  TX bytes:1054123 (1.0 MB)

    xenbr0    Link encap:Ethernet  HWaddr d0:50:99:67:4a:b7  
              inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0
              inet6 addr: fe80::d250:99ff:fe67:4ab7/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:14808 errors:0 dropped:0 overruns:0 frame:0
              TX packets:11826 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:2478850 (2.4 MB)  TX bytes:2165931 (2.1 MB)

These are the iptables, which seem to go uncaged with the hook

    $ sudo iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
    ACCEPT     all  --  192.168.122.0/24     anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
    ACCEPT     all  --  anywhere             anywhere             PHYSDEV match --physdev-out vif2.0 --physdev-is-bridged
    ACCEPT     all  --  anywhere             anywhere             PHYSDEV match --physdev-in vif2.0 --physdev-is-bridged
    ACCEPT     all  --  anywhere             192.168.122.0/24     state NEW,RELATED,ESTABLISHED

    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

This is where i got the hook: http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections

Some people are/are going to be curious about network interfaces, so here:

    auto lo
    iface lo inet loopback

    auto eth0
    iface eth0 inet manual

    auto xenbr0
    iface xenbr0 inet static
            bridge_ports eth0
            address 192.168.2.100
            netmask 255.255.255.0
            gateway 192.168.2.1
            dns-nameservers 192.168.2.1

Default Network Configuration:

    <network>
      <name>default</name>
      <bridge name="virbr0"/>
      <forward/>
      <ip address="192.168.122.1" netmask="255.255.255.0">
        <dhcp>
          <range start="192.168.122.2" end="192.168.122.254"/>
        </dhcp>
      </ip>
    </network>

Output of sudo iptables -t nat -v -x -n -L:

    Chain PREROUTING (policy ACCEPT 4326 packets, 267215 bytes)
        pkts      bytes target     prot opt in     out     source               destination         
           9      528 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.2.100        tcp dpt:6969 to:192.168.122.99:6969
           0        0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.2.100        tcp dpt:6969 to:192.168.122.0:6969
           0        0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.122.1        tcp dpt:6969 to:192.168.122.0:6969
           0        0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.122.1        tcp dpt:6969 to:192.168.122.99:6969

    Chain INPUT (policy ACCEPT 3457 packets, 177928 bytes)
        pkts      bytes target     prot opt in     out     source               destination         

    Chain OUTPUT (policy ACCEPT 2010 packets, 132685 bytes)
        pkts      bytes target     prot opt in     out     source               destination         

    Chain POSTROUTING (policy ACCEPT 2609 packets, 213516 bytes)
        pkts      bytes target     prot opt in     out     source               destination         
           5      365 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
           0        0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
           0        0 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
           0        0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
           0        0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24  
musclez
  • 1
  • 4
  • You're sure you're using NAT? Looks like you're using bridging instead. – jornane Aug 01 '15 at 13:33
  • i am bridging eth0 as xenbr0 – musclez Aug 01 '15 at 13:34
  • This is where i got the hook: http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections – musclez Aug 01 '15 at 13:39
  • Then I'm confused on what your question is. Are you asking how to do port forwarding on your router, whether iptables is configured correctly or how you should configure the VM itself? Can you tell us what you want to accomplish and how the current situation doesn't allow that? – jornane Aug 01 '15 at 13:40
  • Your link is about forward mode NAT, yet you're clearly using a bridge. – jornane Aug 01 '15 at 13:41
  • If i mislabeled the post I am sorry. I am trying to forward the port from my guest os to the host. As stated in the libvert information, the ports have to be added to the `iptables` in order to have incoming traffic on them. Currently, the only ports open on the guest are the ports that are being opened already on the host. – musclez Aug 01 '15 at 13:46
  • Not enough information. You need to specify how you configured the guest's networking in libvirt. – Michael Hampton Aug 01 '15 at 16:23
  • It's using virbr0 with 192.168.122.1 as the host with range 2-254. If there is more information you would need I would need to know from which file location. – musclez Aug 01 '15 at 16:59
  • That's the default network, but which network is your VM actually using? – Michael Hampton Aug 01 '15 at 17:38
  • I don't know what more information you need. Please specify the command or file I need to access for you. – musclez Aug 01 '15 at 17:42

2 Answers2

0

EDIT: It turns out that OP uses a bridge with two different subnets. This was not clear from the question before an edit, and this answer was written with the assumption that both ends on the bridge have the same subnet.

You are not using NAT on your Libvirt box. I suspect you're running a home lab, with your ISPs modem doing the NAT'ing for you? Your Libvirt box is configured with bridging.

What this means is that, most likely, you don't have to do anything and the iptables commands in your code are unnecessary. The VMs are already exposed to your local network 192.168.2.0/24, and if you want to make them reachable from the internet, you'll have to do that in the router (not a Libvirt problem, not worth discussing in this thread).


As an exception, the VMs may be blocked from being reached if you are using ebtables or that net.bridge.bridge-nf-call-iptables is enabled. However, I doubt that's the case here.

jornane
  • 1,096
  • 1
  • 8
  • 25
0

After posting your network configuration, I see you are using a different subnet for Libvirt. This is wrong, especially considering that you use 192.168.2.100 on the bridge interface that you use for Libvirt, while the virtual machines (that are on the same bridge) get allocated 192.168.122.0/24.

Anyway, if you insist on doing double NAT, reflect this in your settings. Either set mode to NAT or use the same IP range on both ends of the bridge.

What you are doing now is extremely confusing and will come and bite you at some point in time. Your question has already been answered on Server Fault (although it took some time to find out what your question really was). Here it is: iptables port forwarding on debian.

jornane
  • 1,096
  • 1
  • 8
  • 25
  • To my understanding, I just followed the manual for bridging internet connections with Xen. Everything else is default settings. If this confuses you, I'd appreciate if you took a look at https://help.ubuntu.com/community/Xen#Network_Configuration for reference. This is where eth0 and xenbr0 are created. Virbr0 is created with Libvirt, however this is not an select able setting in any of my guest operating systems. Essentially, the workings of virbr0 seem hidden from the other VMs. – musclez Aug 02 '15 at 03:55
  • The document you refer mentions `iface xenbr0 inet dhcp` in /etc/interfaces. You are not using DHCP there, you set the IP address manually. That in itself isn't a problem, but you use a different subnet in `interfaces` and Libvirt, while on the same bridge. Using different subnets on the same bridge is what's confusing. Additionally, you are offering DHCP on this bridge, risking this DHCP server to leak towards eth0. `` will do what you are trying to do in a much cleaner way, you won't need any bridges then. – jornane Aug 03 '15 at 10:53
  • From what you suggested and from further reading on https://libvirt.org/formatnetwork.html, i've added `` to the default network xml file. This did not enable anything. – musclez Aug 03 '15 at 15:42
  • You still need to update your `/etc/interfaces` so that `eth0` is not bridged with `xenbr0`. Then `xenbr0` is a bridge purely for your VMs (with DHCP and the whole lot). `eth0` can be configured to get an IP address from DHCP if you have a DHCP server upstream. The bridge has thus no `bridge_ports` when it starts. Do not use the `/etc/interfaces` from the Ubuntu link you provided, that's only if you don't want to use NAT. If you still have questions, please open a new thread. – jornane Aug 03 '15 at 16:08