Hello all, I was told on IRC that I should come here to discuss a recommended change on the networking page in the wiki.
If you take a look at the "Basic Script" shown here: http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections It does two things: 1) Create a DNAT rule in the NAT table of IPTABLES 2) Create a FORWARD rule in the FILTER table of IPTABLES The FORWARD rule is set up as it ought to be, however, the DNAT rule has some unintended consequences. I set up a DNAT on port 80, and suddenly, I couldn't access out on port 80 anymore from my guest machine. However, if I changed the destination address from "anywhere" to the IP of the host machine, the problem resolved. So I change the script to as follows. (Changes are highlighted. For some reason the original script didn't work using /bin/sh, but it did with /bin/bash, so I changed that too). *#!/bin/bash* # used some from advanced script to have multiple ports: use an equal number of guest and host ports Guest_name=xxxxxxx Guest_ipaddr=xxx.xxx.xxx.xx *Host_ipaddr=xxx.xxx.xxx.xx* Host_port=( '80' '443' ) Guest_port=( '80' '443' ) length=$(( ${#Host_port[@]} - 1 )) if [ "${1}" = "${Guest_name}" ]; then if [ "${2}" = "stopped" -o "${2}" = "reconnect" ]; then for i in `seq 0 $length`; do iptables -t nat -D PREROUTING *-d ${Host_ipaddr}* -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]} iptables -D FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT done fi if [ "${2}" = "start" -o "${2}" = "reconnect" ]; then for i in `seq 0 $length`; do iptables -t nat -A PREROUTING *-d ${Host_ipaddr}* -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]} iptables -I FORWARD 4 -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT done fi fi Lastly, I should note that I am using Ubuntu 14.04, both for the host and guest. I'm also curious as to why this is considered a hack method. It states in the wiki that "This method is a hack", but it doesn't express why. Many VM Servers have similar features. I know Virtual Box does, I use the same feature there. It may not be how I would set up a production server, but doesn't make it a hack. Thanks, BJ
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
