qemu-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-discuss] iptables rules for nested guest tunelling?

From: Jason Vas Dias
Subject: Re: [Qemu-discuss] iptables rules for nested guest tunelling?
Date: Sat, 20 Oct 2018 17:06:30 +0000 
Aha!
I see now the script is creating the correct rules, and I don't
need to add any extra ones - they were the problem - sorry!
Answer: just use the rules in the script.
Thanks, all the best,
Jason


On 20/10/2018, Jason Vas Dias <address@hidden> wrote:
>
> Hi -
>
>  I am trying to find the best set of rules to use 'tun'
>  networking with qemu-system-$CPU - ie. I am using :
>
>   $ qemu-system-$CPU ... -net tun -net nic
>
>  And I have an /etc/qemu-ifup script installed (attached),
>  which I found online, and modified only the
>  '# Network Information:' section of.
>
>  I use the iptables set up, where $IP_EXT is the EXTERNAL
>  IP address configured on the 'eth0' interface by HOST
>  DHCP, and I have configured the GUEST nic IP manually
>  (statically) to be 192.168.64.2/24 :
>
>  $ iptables -t nat -A PREROUTING  -i eth0 -d $IP_EXT -j DNAT
> --to-destination 192.168.64.2
>  $ iptables -t nat -A POSTROUTING -o eth0 -s 192.168.64.2 -j SNAT
> --to-source $IP_EXT
>  $ iptables -I FORWARD -m state -d 192.168.64.0/24 --state
> NEW,RELATED,ESTABLISHED -j ACCEPT
>
>  $ echo 1 > /proc/sys/net/ipv4/ip_forward
>
>  My problem here is that I then lose the ability to access ports on the
> HOST's
>  $IP_EXT from the external internet (all incoming packets are diverted
>  to the guest) and I am asking for advice as to precisely why ; ie. I know
>  what happens, the rules forward incoming SSH requests to the guest,
>  which might not be listening or running eg. sshd, but I thought this
> should
>  not happen, because I thought:
>    iptables -I FORWARD -m state -d 192.168.64.0/24 \
>     --state NEW,RELATED,ESTABLISHED -j ACCEPT
>  would only make replies to sockets which originate on the guest
>  be translated into requests to the guest address; but what is
>  happening is that unsolicited incoming requests which bear no
>  relation to an existing guest socket get translated into requests
>  to the guest - this is not what I want - I just want the guest
>  to be able to make OUTGOING requests to eg. named (port 63) and
>  HTTP (port 80), and have INCOMING REPLIES (only) to those requests
>  translated into guest address packets.
>
>  Please can anyone advise how to achieve this ?
>
>  I'd like to be able to just use the tunnel interface,
>  which is created OK, and NAT rules, like those above,
>  to transfer packets from guest to outside world so that
>  it gets replies,
>  but still have all incoming requests that are not responses
>  to guest packets not be redirected to guest.
>
>  I can run guests on my Cloud hosts which have internet access,
>  but then I don't want to lose SSH access to them :-)
>
>  Any advice gratefully received,
>
>  Thanks & Best regards,
>
> Jason Vas Dias
>
> Here is the /etc/qemu-ifup file:
>
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]