2

I'm trying to forward traffic from port 22 on a host machine to port 22 on a virtual machine.

My host is running ubuntu.

I have tried to execute this command on my host: iptables -t nat -A PREROUTING -d 192.168.1.161 -p tcp --dport 22 -j DNAT --to 192.168.122.2:22, which had no return. No errors, or other information shown.

When running tcpdump -i eno1 port 22 and try to connect to port 22, i do see packages comming into the host. Running the equivilent on the VM shows no incomming package.s

192.168.1.161 is the local ip of eno1. 192.168.122.2 is the ip of the virtual machine.

I have checked that I can connect from the host to the VM.

cat /proc/sys/net/ipv4/ip_forward returns 1

If i try to ssh into the VM from the host (ssh user@192.168.122.2) it works fine. If i try from my workstation (same network as host) ssh user@192.168.1.161 it times out. As mentioned from tcpdump i can see the packages arriving at the host, but dont seem to be forwarded to the VM. I have the SSH to the host itself running on a non-default port.

The host is running Ubuntu 17.10. The guest is running Debian GNU/Linux 9

The VM is run by KVM and i manage it using virt-manager.

ifconfig of the host:

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.161  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 2a00:7660:142d:0:8a51:fbff:fe4a:9ed1  prefixlen 64  scopeid 0x0<global>
        inet6 2a00:7660:142d::140  prefixlen 128  scopeid 0x0<global>
        inet6 fe80::8a51:fbff:fe4a:9ed1  prefixlen 64  scopeid 0x20<link>
        ether 88:51:fb:4a:9e:d1  txqueuelen 1000  (Ethernet)
        RX packets 62604  bytes 10855077 (10.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 69941  bytes 36442632 (36.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7f00000-f7f20000

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 10625  bytes 27445185 (27.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10625  bytes 27445185 (27.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:04:bb:9b  txqueuelen 1000  (Ethernet)
        RX packets 1155  bytes 142293 (142.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1667  bytes 650997 (650.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fc54:ff:fe12:71ae  prefixlen 64  scopeid 0x20<link>
        ether fe:54:00:12:71:ae  txqueuelen 1000  (Ethernet)
        RX packets 1155  bytes 158463 (158.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4349  bytes 794450 (794.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
Jonas Laursen
  • 61
  • 1
  • 6
  • "I have tried to execute" did you get an error? What symptoms do you have? What does not work, what tests did you do? – Patrick Mevzek May 22 '18 at 13:06
  • I have added some more information. Not entirely sure what you mean by symtoms? – Jonas Laursen May 22 '18 at 13:15
  • Found a duplicate: https://serverfault.com/questions/770847/iptables-kvm-forward-port I dont have rep to mark my question. It seems the objectives and issues are the same. its stil awaiting solution – Jonas Laursen May 22 '18 at 14:12

3 Answers3

2

I found this to be working: https://ubuntuforums.org/showthread.php?t=2261173&p=13210545#post13210545

TL;DR

iptables -t nat -I PREROUTING -p tcp -d x.x.104.49 --dport 22 -j DNAT --to-destination 192.168.122.20:22
iptables -I FORWARD -m state -d 192.168.122.20/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
Jonas Laursen
  • 61
  • 1
  • 6
1

I found that these answers worked except that it wouldn't work from the host itself to the vm. So I propose an addition of an OUTPUT rule to the answer to route from the host machine to the vm as well.

iptables -t nat -I OUTPUT -p tcp -d 192.168.1.161 --dport 22 -j DNAT --to-destination 192.168.122.2:22
iptables -t nat -I PREROUTING -i eno1 -p tcp --dport 22 -j DNAT --to 192.168.122.2:22
iptables -I FORWARD -m state -d 192.168.122.2/24 -state NEW,ESTABLISHED,RELATED -j ACCEPT

The key was found here: iptables port redirect not working for localhost indicating that PREROUTING is not used by the loopback interface.

poleguy
  • 191
  • 1
  • 5
0

What is the default policy of your iptables (can be checked with iptables -L) ? If it is set to DROP, you need to enabled the forwarding to the VM too :

iptables -A FORWARD -p tcp -d 192.168.1.161 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Edit : I'm assuming masquerading is enabled, since you're using virt-manager, which uses libvirt, and it is the default behavior with NAT mode. You have to change your iptables rules to :

iptables -t nat -A PREROUTING -i eno1 -p tcp --dport 22 -j DNAT --to 192.168.122.2:22
iptables -A FORWARD -p tcp -i eno1 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

If masquerading is not enabled, your VM must have a route to your home network in order to respond.

CaptAintHere
  • 21
  • 4