KVM guest static ip with ports forwarded to another guest

Question

Im on host-machine with Centos 7 and 2 guests on Centos 6.6. I want one of my guests have static external ip but some his ports must be routed to another guest.

On host machine I do:

iptables -t nat -I PREROUTING -d <EXTERNAL IP> -i enp2s0 -j DNAT --to-destination 192.168.122.88
iptables -t nat -I POSTROUTING -s 192.168.122.88 -o enp2s0 -j SNAT --to-source <EXTERNAL IP>

iptables -P FORWARD ACCEPT

#####
iptables -t nat -A PREROUTING --dst <EXTERNAL IP> -p tcp --dport 5999 -j DNAT --to-destination 192.168.122.155:5999
iptables -t nat -A PREROUTING --dst <EXTERNAL IP> -p tcp --dport 1540 -j DNAT --to-destination 192.168.122.155:1540
iptables -t nat -A PREROUTING --dst <EXTERNAL IP> -p tcp --dport 1541 -j DNAT --to-destination 192.168.122.155:1541
iptables -t nat -A PREROUTING --dst <EXTERNAL IP> -p tcp --dport 1560 -j DNAT --to-destination 192.168.122.155:1560
iptables -t nat -A PREROUTING --dst <EXTERNAL IP> -p tcp --dport 8187 -j DNAT --to-destination 192.168.122.155:8187
iptables -t nat -A PREROUTING --dst <EXTERNAL IP> -p tcp --dport 3389 -j DNAT --to-destination 192.168.122.155:3389
iptables -t nat -A PREROUTING --dst <EXTERNAL IP> -p tcp --dport 10050 -j DNAT --to-destination 192.168.122.155:3389

This way guest gets external ip but port rules doesnt work.

Answer 1

You are appending the individual port rules after your first DNAT rule, and since all packets match your first DNAT rule, the later rules will never match.

You need to move the individual port rules before your

iptables -t nat -I PREROUTING -d <EXTERNAL IP> -i enp2s0 -j DNAT --to-destination 192.168.122.88

rule in the PREROUTING table.