[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-discuss] iptables rules for nested guest tunelling?
|
From: |
Jason Vas Dias |
|
Subject: |
[Qemu-discuss] iptables rules for nested guest tunelling? |
|
Date: |
Sat, 20 Oct 2018 16:33:30 +0000 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Hi -
I am trying to find the best set of rules to use 'tun'
networking with qemu-system-$CPU - ie. I am using :
$ qemu-system-$CPU ... -net tun -net nic
And I have an /etc/qemu-ifup script installed (attached),
which I found online, and modified only the
'# Network Information:' section of.
I use the iptables set up, where $IP_EXT is the EXTERNAL
IP address configured on the 'eth0' interface by HOST
DHCP, and I have configured the GUEST nic IP manually
(statically) to be 192.168.64.2/24 :
$ iptables -t nat -A PREROUTING -i eth0 -d $IP_EXT -j DNAT --to-destination
192.168.64.2
$ iptables -t nat -A POSTROUTING -o eth0 -s 192.168.64.2 -j SNAT --to-source
$IP_EXT
$ iptables -I FORWARD -m state -d 192.168.64.0/24 --state
NEW,RELATED,ESTABLISHED -j ACCEPT
$ echo 1 > /proc/sys/net/ipv4/ip_forward
My problem here is that I then lose the ability to access ports on the HOST's
$IP_EXT from the external internet (all incoming packets are diverted
to the guest) and I am asking for advice as to precisely why ; ie. I know
what happens, the rules forward incoming SSH requests to the guest,
which might not be listening or running eg. sshd, but I thought this should
not happen, because I thought:
iptables -I FORWARD -m state -d 192.168.64.0/24 \
--state NEW,RELATED,ESTABLISHED -j ACCEPT
would only make replies to sockets which originate on the guest
be translated into requests to the guest address; but what is
happening is that unsolicited incoming requests which bear no
relation to an existing guest socket get translated into requests
to the guest - this is not what I want - I just want the guest
to be able to make OUTGOING requests to eg. named (port 63) and
HTTP (port 80), and have INCOMING REPLIES (only) to those requests
translated into guest address packets.
Please can anyone advise how to achieve this ?
I'd like to be able to just use the tunnel interface,
which is created OK, and NAT rules, like those above,
to transfer packets from guest to outside world so that
it gets replies,
but still have all incoming requests that are not responses
to guest packets not be redirected to guest.
I can run guests on my Cloud hosts which have internet access,
but then I don't want to lose SSH access to them :-)
Any advice gratefully received,
Thanks & Best regards,
Jason Vas Dias
Here is the /etc/qemu-ifup file:
qemu-ifup
Description: /etc/qemu-ifup
- [Qemu-discuss] iptables rules for nested guest tunelling?,
Jason Vas Dias <=