[Libvir] Port forwarding

Daniel P. Berrange berrange at redhat.com
Tue Dec 4 13:40:51 UTC 2007 

On Tue, Dec 04, 2007 at 12:08:15PM +0000, Richard W.M. Jones wrote:
> What do people think about adding port forwarding to network configurations?

A good idea. Mark had forwarding on his original spec, but it was not 
implemented at the time.

> At the moment it's unnecessarily difficult to connect to (eg.) sshd port 
> or remote desktop port on a virtual machine running under the virtual 
> network configuration.  If those ports could be mapped to consecutive 
> ports on the public (eth0) interface then connecting would be simply a 
> matter of knowing the port number.
> 
> AFAICS this could be implemented by adding rules such as these to the 
> iptables:
> 
> iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \
>   -j DNAT --to-destination 192.168.122.5
> iptables -A FORWARD -i $EXTIF -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i $INTIF -p tcp -d $EXTIP --dport 80 \
>   -j DNAT --to-destination 192.168.122.5
> iptables -A FORWARD -i $INTIF -p tcp -d $EXTIP --dport 80 -j ACCEPT
> 
> (rules taken from 
> http://www.ma.utexas.edu/users/stirling/computergeek/server.html)
> 
> Rich.
> 
> PS. I'm assuming that this is _not_ what the current /network/forward 
> XML does?  It seems to enable forwarding for a single privileged guest 
> as far as I can work out.

Yes, that is correct.

If you have

   <forward/>

Then outbound NAT is enabled from the bridge to any physical devic.

If you have

   <forward dev='eth0'/>

Then outbound NAT is enabled from the bridge, but only allowed to eth0.
If routing rules would send it elsewhere, its blocked.

If you don't have any, then the network is totally isolated.

In all three of those scenarios inbound port-forwarding is a reasonable
idea.


The hardpart is deciding on the inbound physical NIC to use. The 'default'
network has its rules explicitly setup to not care about physical NICs so
that it works even  if NetworkManager switches you between eth0 & eth1.

I guess the user will justhave to add port forard rules as they need...

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|

More information about the libvir-list mailing list