I am on Centos 7, removed the new firewall and installed a classic iptables service. I have a guest machine in it with Debian 8.1 and static external ip.
echo 1 > /proc/sys/net/ipv4/ip_forward sysctl -w net.ipv4.ip_forward=1 iptables -P FORWARD ACCEPT
iptables -t nat -I PREROUTING -d *external_ip* -i enp2s0 -j DNAT --to-destination 192.168.122.72 iptables -t nat -I POSTROUTING -s 192.168.122.72 -o enp2s0 -j SNAT --to-source *external_ip* iptables -P FORWARD ACCEPT
And my guest system begins to work and become able on the Internet.
Then I do service iptables save, restart host machine and my guest machine becomes unavailable on the network. But when I check iptables rules (iptables -t nat -L –line-numbers) I see that all my rules are there. When I flush all iptables rules and enter them again – it begins to work again until new reboot.
My friend suggested a solution to write an sh script with these rules and add it to rclocal, but maybe there is a better solution?
If you’re writing your own NAT rules for your virtual machines, rather than allowing libvirt to manage them, then the virtual network to which the VMs are connected should be set up as a routed network, not a NAT network.
You can fix this with
virsh net-edit <network> and change:
(And this is perfectly doable with firewalld; I have one such machine in production already.)
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.