I am currently running a Xen Hypervisor underneath Ubuntu 14.04. On the host machine I am running a guest VM.
From what I understand, In order to be able to receive incoming connections on the virtual machine, I have to first write a hook that edits my iptables
when the guest is initiated.
I use Virtual Machine Manager as a GUI to initiate my VMs. the hook i have set up is located /etc/libvirt/hooks/qemu
I am trying to open TCP/UDP port 6969
and UDP port 17
for my VM labeled "Windows
"
#!/bin/bash
# used some from advanced script to have multiple ports: use an equal number of$
# Update the following variables to fit your setup
Guest_name=Windows
Guest_ipaddr=192.168.122.99
Host_ipaddr=192.168.122.1
Host_port=( '6969' '17' )
Guest_port=( '6969' '17' )
length=$(( ${#Host_port[@]} - 1 ))
if [ "${1}" = "${Guest_name}" ]; then
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
iptables -t nat -D PREROUTING -d ${Host_ipaddr} -p tcp --dport $$
iptables -D FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --stat$
done
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
iptables -t nat -A PREROUTING -d ${Host_ipaddr} -p tcp --dport $$
iptables -I FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --stat$
done
fi
fi
ifconfig is where I got the info
$ ifconfig
eth0 Link encap:Ethernet HWaddr d0:50:99:67:4a:b7
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17367 errors:0 dropped:6 overruns:0 frame:0
TX packets:13439 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3494857 (3.4 MB) TX bytes:2707716 (2.7 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:3774 errors:0 dropped:0 overruns:0 frame:0
TX packets:3774 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1303572 (1.3 MB) TX bytes:1303572 (1.3 MB)
vif1.0 Link encap:Ethernet HWaddr fe:ff:ff:ff:ff:ff
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
vif1.0-emu Link encap:Ethernet HWaddr fe:ff:ff:ff:ff:ff
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1613 errors:0 dropped:0 overruns:0 frame:0
TX packets:3307 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:508517 (508.5 KB) TX bytes:1054123 (1.0 MB)
xenbr0 Link encap:Ethernet HWaddr d0:50:99:67:4a:b7
inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::d250:99ff:fe67:4ab7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14808 errors:0 dropped:0 overruns:0 frame:0
TX packets:11826 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2478850 (2.4 MB) TX bytes:2165931 (2.1 MB)
These are the iptables
, which seem to go uncaged with the hook
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-out vif2.0 --physdev-is-bridged
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif2.0 --physdev-is-bridged
ACCEPT all -- anywhere 192.168.122.0/24 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
This is where i got the hook: http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections
Some people are/are going to be curious about network interfaces, so here:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet manual
auto xenbr0
iface xenbr0 inet static
bridge_ports eth0
address 192.168.2.100
netmask 255.255.255.0
gateway 192.168.2.1
dns-nameservers 192.168.2.1
Default Network Configuration:
<network>
<name>default</name>
<bridge name="virbr0"/>
<forward/>
<ip address="192.168.122.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.122.2" end="192.168.122.254"/>
</dhcp>
</ip>
</network>
Output of sudo iptables -t nat -v -x -n -L
:
Chain PREROUTING (policy ACCEPT 4326 packets, 267215 bytes)
pkts bytes target prot opt in out source destination
9 528 DNAT tcp -- * * 0.0.0.0/0 192.168.2.100 tcp dpt:6969 to:192.168.122.99:6969
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.2.100 tcp dpt:6969 to:192.168.122.0:6969
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.122.1 tcp dpt:6969 to:192.168.122.0:6969
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.122.1 tcp dpt:6969 to:192.168.122.99:6969
Chain INPUT (policy ACCEPT 3457 packets, 177928 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2010 packets, 132685 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2609 packets, 213516 bytes)
pkts bytes target prot opt in out source destination
5 365 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24