Port forward Host to Guest VM
From: Unkmar ------------------------------------------------------ Tap, tap, tap. Is this thing on? ELI5 = Explain Like I'm 5 Well, maybe a little older. I want the minimalist version. Last time I tried to do this, I ended up with firewalld installed causing additional headaches. I succeeded, but I am confident that firewalld is an overkill headache producer. I am suspecting something as simple as a handful of IPTABLES commands. But, I don't really know for sure. I figure somebody, probably several somebodies, has done this many times already and consider this hand wave easy. So, I'm asking for the hand waver to toss out the simple solution. Many thanks in advance. -- Lucius L. Hilley III=============================================================== From: Unkmar ------------------------------------------------------ I left out a key pieces of information. The Host can ping and ssh into the Guest VM. I just trying to get the outside world to see it. I have port forward from router to the Host. That works fine. I am wanting to port forward, route, or whatever through the Host to the Guest VM. -- Lucius L. Hilley III
=============================================================== From: Stephen Kraus ------------------------------------------------------ This depends on a couple things: What is your virtualization setup? KVM? QEMU? Does the Virtualization have Networking setup? I.e.: Does the Guest Host have a Private IP or is it getting an IP from the network (I'm assuming the former) Here's a good example with KVM on a Host and IPTables: https://www.cyberciti.biz/faq/kvm-forward-ports-to-guests-vm-with-ufw-on-linux/
=============================================================== From: Unkmar ------------------------------------------------------ Okay, Thank you. With a great deal of headache and trepidation, I managed to reduce it to three commands. 1. A sort of generic command for the Host. iptables -I FORWARD 1 -m conntrack --ctstate DNAT -j ACCEPT 2. A add or setup command, one per port that I desire to forward. $guest = the VM's internal ip address. 192.168.x.x iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport $port -j DNAT --to-destination $guest:$port -m comment --comment "VM $port:$guest:$port" My understanding is that this command technically isn't properly restrictive enough. Something about I should use -d and my public_ip which I can't 100% trust to be the same all the time. This isn't a commercial gig going on over here. 3. A delete or tear down command, one per port that was forwarded. I am not entirely certain what the tear down command is. I've read that it should be something like. iptables -t nat -D PREROUTING 1 -i eth0 -p tcp --dport $port -j DNAT --to-destination $guest:$port -m comment --comment "VM $port:$guest:$port" Which is identical to the setup command except the -I option is changed to -D (that is an upper case i, not a lower case L, dang fonts) While I had hoped to do these things via remote. I was too big of a coward and stopped in at the machines physical location. It is only about 5 miles away. So, it isn't a big deal. I got my solution from here. https://unix.stackexchange.com/questions/696034/qemu-kvm-iptables-port-forwarding The stuff from the person asking the question didn't work. Why would it? They were asking. But the person that answers has lots of useful information to parse. Their section starts at, "Multiple different problems" PS: I didn't exactly get my solution from the link you provided me. But you trusted the info, and that gave me a confident start when searching for simpler alternatives. -- Lucius L. Hilley III