ubuntu iptables libvirt port forwarding

fpena06 asked:

I have been beating my head against the wall for the past few days trying to figure out how to allow incoming connections to a vm machine on ports 443 and 8443.

Here is some information on the system.

ifconfig before VM is started

ens3      Link encap:Ethernet  HWaddr fa:16:3e:7a:fd:c3
          inet addr:x.x.x.45  Bcast:x.x.x.45  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1809 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1673 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:145652 (145.6 KB)  TX bytes:130509 (130.5 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:808 errors:0 dropped:0 overruns:0 frame:0
          TX packets:808 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:74740 (74.7 KB)  TX bytes:74740 (74.7 KB)

virbr0    Link encap:Ethernet  HWaddr 52:54:00:c4:48:90
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:53 errors:0 dropped:0 overruns:0 frame:0
          TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4071 (4.0 KB)  TX bytes:6578 (6.5 KB)

virbr1    Link encap:Ethernet  HWaddr 52:54:00:9f:72:7f
          inet addr:192.168.42.1  Bcast:192.168.42.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:1077 errors:0 dropped:0 overruns:0 frame:0
          TX packets:917 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:695843 (695.8 KB)  TX bytes:169696 (169.6 KB)

ifconfig after VM is started

ens3      Link encap:Ethernet  HWaddr fa:16:3e:7a:fd:c3
          inet addr:x.x.x.45  Bcast:x.x.x.45  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2026 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1902 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:162734 (162.7 KB)  TX bytes:153951 (153.9 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1296 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1296 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:121712 (121.7 KB)  TX bytes:121712 (121.7 KB)

virbr0    Link encap:Ethernet  HWaddr 52:54:00:c4:48:90
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:96 errors:0 dropped:0 overruns:0 frame:0
          TX packets:73 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:7526 (7.5 KB)  TX bytes:12615 (12.6 KB)

virbr1    Link encap:Ethernet  HWaddr 52:54:00:9f:72:7f
          inet addr:192.168.42.1  Bcast:192.168.42.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2118 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1792 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1386531 (1.3 MB)  TX bytes:333696 (333.6 KB)

vnet0     Link encap:Ethernet  HWaddr fe:54:00:ee:5c:d0
          inet6 addr: fe80::fc54:ff:feee:5cd0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:43 errors:0 dropped:0 overruns:0 frame:0
          TX packets:83 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4057 (4.0 KB)  TX bytes:8869 (8.8 KB)

vnet1     Link encap:Ethernet  HWaddr fe:54:00:0b:15:eb
          inet6 addr: fe80::fc54:ff:fe0b:15eb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1041 errors:0 dropped:0 overruns:0 frame:0
          TX packets:936 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:705262 (705.2 KB)  TX bytes:167544 (167.5 KB)

iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

VM ifconfig

docker0   Link encap:Ethernet  HWaddr 02:42:0F:C1:9D:47
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:fff:fec1:9d47/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:230 errors:0 dropped:0 overruns:0 frame:0
          TX packets:216 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:19661 (19.2 KiB)  TX bytes:28440 (27.7 KiB)

eth0      Link encap:Ethernet  HWaddr 52:54:00:EE:5C:D0
          inet addr:192.168.122.135  Bcast:192.168.122.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:ff:feee:5cd0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:63 errors:0 dropped:0 overruns:0 frame:0
          TX packets:73 errors:0 dropped:0 overruns:0 carrier:0
          collisions:312 txqueuelen:1000
          RX bytes:7723 (7.5 KiB)  TX bytes:6469 (6.3 KiB)

eth1      Link encap:Ethernet  HWaddr 52:54:00:0B:15:EB
          inet addr:192.168.42.201  Bcast:192.168.42.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:ff:fe0b:15eb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:914 errors:0 dropped:0 overruns:0 frame:0
          TX packets:759 errors:0 dropped:0 overruns:0 carrier:0
          collisions:3960 txqueuelen:1000
          RX bytes:157257 (153.5 KiB)  TX bytes:690751 (674.5 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:22041 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22041 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:40447910 (38.5 MiB)  TX bytes:40447910 (38.5 MiB)

veth159e182 Link encap:Ethernet  HWaddr 52:8A:03:66:BA:E3
          inet6 addr: fe80::508a:3ff:fe66:bae3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:203 errors:0 dropped:0 overruns:0 frame:0
          TX packets:205 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:20046 (19.5 KiB)  TX bytes:18696 (18.2 KiB)

I have tried the following

iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.122.135:443
iptables -t nat -I PREROUTING -p tcp --dport 8443 -j DNAT --to 192.168.122.135:8443
iptables -I FORWARD -o virbr0 -d  192.168.122.135 -j ACCEPT

Also tried this

iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.42.201:443
iptables -t nat -I PREROUTING -p tcp --dport 8443 -j DNAT --to 192.168.42.201:8443
iptables -I FORWARD -o virbr0 -d  192.168.42.201 -j ACCEPT

When I try to connect to the server with chrome the ip address gets changed to the local ip address. Please see images.

image 1

image 2

Can someone please help me figure out what I’m doing wrong. Your help is greatly appreciated.

My answer:


Your web application is doing this, not the firewall.

Because you’re running OpenShift Origin behind NAT, you need to set openshift_master_cluster_public_hostname to the address from which it can be reached on the outside. See the documentation for other variables you may need to set.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.