KVM port forward to guest (iptables) - only partial internet access? - iptables

I am quite new to KVM and read a lot of threads here, but neither one was helpful in my case.
I am having a guest on a KVM host and want to forward port 80 from the host to port 80 in the guest. I did this with iptables:
Guest_name=theguest
Guest_ipaddr=192.168.122.43
Host_port=( '80' )
Guest_port=( '80' )
length=$(( ${#Host_port[#]} - 1 ))
if [ "${1}" = "${Guest_name}" ]; then
if [ "${2}" = "stopped" -o "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
iptables -t nat -D PREROUTING -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
iptables -D FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT
done
fi
if [ "${2}" = "start" -o "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
iptables -t nat -A PREROUTING -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
iptables -I FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT
done
fi
fi
Overall this works, but not always. http request to the apache are working, so the rules seem to be correct. If I do a wget request to a http address, nothing happens. If I do a wget request to a ftp address (with --user=theusername --password=thepassword), it works.
The biggest problem: apt-get update is not working. All it does is:
0% [Verbindung mit de.archive.ubuntu.com (141.30.13.20)] [Verbindung mit security.ubuntu.com (91.189.91.13)]
Only Ctrl-C helps at this stage.
The network in the KVM xml file is configured like this:
<interface type='network'>
<source network="default"/>
<mac address='themacaddress'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
Can anybody help? Thanks a lot in advance!

Related

SSH tunnel <--> iptables NAT port forwarding - HOWTO?

I need to set up access to the HTTP(S) servers on devices like KVMs and PDUs on a private network (192.168.0.0/24). I must get through an isolated network (10.0.0.0/8) limited to ports 22 and 443. I have a dual-NIC Linux server inside the network that serves as a gateway to the private network. See diagram Here:
Network Diagram
I need to use a forward SSH tunnel to get to the Linux gateway, then use iptables NAT to route HTTP(s) traffic to the web frontends on the devices.
I've observed with both tcpdump and iptables trace that the inbound HTTP(s) request through the SSH tunnel shows up on interface lo , not eth1 as one might expect.
This has led me to come up with the following nat and filter rules:
*nat
-A PREROUTING -i lo -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.100:80
-A PREROUTING -i lo -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.0.101:443
-A POSTROUTING -d 10.0.0.0/8 -o lo -j SNAT --to-source <10.gateway_IP>
COMMIT
*filter
:INPUT ACCEPT [37234:5557621]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26648:27864039]
-A FORWARD -d 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.0.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
So, when I set up the tunnel with:
ssh -L 8080:<gateway>:8080 <user>:#<gateway>
Then making sure on the gateway:
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
and then execute http://localhost:8080,
The packets make it out of the tunnel onto the gateway, out of interface lo, but iptables doesn't seem to forward it to the destination in the PREROUTING rule. stderr from the tunnel returns "Connection refused."
What am I missing?

Port forwarding on NAT using KVM/QEMU

I'm using NAT mode for guest networking. I need my machines to be accessible from outside the guest. I've set up iptables to port forward a specific port on host to port 22 on guest, but this does not seem to work.
I added this rules:
# Port Forwardings
-A PREROUTING -i eth0 -p tcp --dport 9867 -j DNAT --to-destination 192.168.122.136:22
# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
When I ssh 192.168.122.136 from host it works perfectly, however when I try ssh 192.168.122.136 -p 9867 it shows ssh: connect to host 192.168.122.1 port 9867: Connection refused
I've enabled port forwarding on /etc/ufw/sysctl.conf
using iptables -t nat -L shows that the rule is set up on iptable
DNAT tcp -- anywhere anywhere tcp dpt:9867 to:192.168.122.136:22
Found my answer here. basicly I changed the above to
# connections from outside
iptables -t nat -A PREROUTING -p tcp --dport 9867 -j DNAT --to 192.168.122.136:22
# for local connection
iptables -t nat -A OUTPUT -p tcp --dport 9867 -j DNAT --to 192.168.122.136:22
# Masquerade local subnet
iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -j MASQUERADE
iptables -A FORWARD -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i virbr0 -o eth0 -j ACCEPT
iptables -A FORWARD -i virbr0 -o lo -j ACCEPT

libvirt iptables rules disrupt port forwarding to my KVM VM's

When I clear IPtables and then add the following rules, incoming connections can connect to my KVM VM on port 1234 without any problems.
-A PREROUTING -i br0 -p tcp -m tcp --dport 1234 -j DNAT --to-destination 192.168.122.194:1234
-A FORWARD -d 192.168.122.194/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 1234 -j ACCEPT
-A FORWARD -s 192.168.122.194/32 -p tcp -m tcp --sport 1234 -j ACCEPT
-A FORWARD -d 192.168.122.194/32 -p tcp -m tcp --dport 1234 -j ACCEPT
But I also want NAT to work inside my KVM VM's. By default libvirt sets up some rules that provide my VM's with NAT. However when I try sending SIGHUP to libvirt (that's how you ask it to add it's rules to iptables), it adds the following rules to iptables that breaks my port forwarding that I have specified above.
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
I've tried running these commands manually. I can run all of the FORWARD and OUTPUT commands and they do not break my port forwarding. However I can't run any of the POSTROUTING commands manually. I get an error saying: "No chain/target/match by that name."
*These libvirt iptables rules in the last grey section above were obtained by running iptables-save and confirming port forwarding was working, then sending SIGHUP to libvirt, confirming port forwarding was broken, then running iptables-save again and running a diff on the two outputs to find which new iptables rules were added by libvirt.
I just enabled NAT with my own rules. I didn't bother with any of the default libvirt rules.
Adding NAT is as simple as 3 iptables commands.
(where br0 is your internet facing adapter (it could be ppp0 or whatever))
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
iptables -A FORWARD -i br0 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i virbr0 -o br0 -j ACCEPT

How to access Seafile server in a virtual machine through IPtables?

I have installed Seafile-server 3.0.4 64bit on a Ubuntu-server 14.04 with default ports settings (i.e. 8000, 8082, 10001, 12001) but fail to access the instance with the client.
Infrastructure
The Ubuntu-server is running as a KVM machine on a Gentoo host.
Iptables rules
After some time I add the following Iptables rules to the host machine (gentoo), that seems to match the Seafile's requirements:
#Iptables-Rules for Seafile
iptables -A INPUT -p tcp -m multiport --dports 8000,8082,10001,12001 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A output -p tcp -m multiport --sports 8000,8082,10001,12001 -m state --state ESTABLISHED -j ACCEPT
However I'm still unable to connect even with telnet to the seafile-server either from Internet or the host machine.
Update: issue might be related to fail2ban
As I'm using NAT to link my virtual machine to my host, I had to edit the rules as follow to get it to work:
#Iptables-Rules for Seafile
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10001 -j DNAT --to 192.168.8.8:10001
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 12001 -j DNAT --to 192.168.8.8:12001
References
Linux Firewall Tutorial: IPTables Tables, Chains, Rules Fundamentals

Iptables: forward request on different interfaces and port

I have a machine with 2 interfaces:
eth0 inet addr:1.1.1.1
eth1 inet addr:2.2.2.2
eth0 is a server, eth1 is the network on virtual machine.
I have ssh on server, so 1.1.1.1:22 is busy.
I need a rule for redirecting incoming connections on eth0 port 6000 to eth1, ip 2.2.2.100 on port 22 (virtual machine ip).
In this mode if I did, on an external machine,
ssh -p 6000 root#1.1.1.1
I would login on the virtual machine.
I tried this rule but it didn't work:
sudo iptables -P FORWARD ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6000 -j DNAT --to 2.2.2.100:22
Well there are like 1 million scripts/tutorials/things for this case, but if someone lands from google to here is something like this:
iptables -I FORWARD -d 2.2.2.2 -m comment --comment "Accept to forward ssh traffic" -m tcp -p tcp --dport 22 -j ACCEPT
iptables -I FORWARD -m comment --comment "Accept to forward ssh return traffic" -s 2.2.2.2 -m tcp -p tcp --sport 22 -j ACCEPT
iptables -t nat -I PREROUTING -m tcp -p tcp --dport 60000 -m comment --comment "redirect pkts to virtual machine" -j DNAT --to-destination 2.2.2.2:22
iptables -t nat -I POSTROUTING -m comment --comment "NAT the src ip" -d 2.2.2.2 -o eth1 -j MASQUERADE