[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-discuss] Port-forwarding to a QEMU/KVM VM

From: Jaap Winius
Subject: [Qemu-discuss] Port-forwarding to a QEMU/KVM VM
Date: Fri, 21 Sep 2018 06:06:47 +0000
User-agent: Horde Application Framework 5

Hi folks,

For years I've maintained Debian Linux servers that run QEMU/KVM virtual machines along with ppp, bridge-utils (brctl) and iptables. In these cases it is simple to configure the latter to forward packets from the Internet, arriving on interface ppp0, over to VMs on the internal bridged interface, br0. This interface is configured like:

  auto enp35s0
  iface enp35s0 inet manual

  auto br0
  iface br0 inet static
        bridge_ports enp35s0
        bridge_stp off
        bridge_fd 0
        bridge_ageing 0
        bridge_maxwait 2

The relevant iptables rules I use to forward HTTPS traffic on to the VM,, look like:

  iptables -t nat -A PREROUTING -i ppp0 \
    -p tcp --dport 443 -j DNAT --to

  iptables -A FORWARD -i ppp0 \
    -p tcp -d --dport 443 --syn -m state --state NEW -j ACCEPT

However, this forwarding configuration stopped working after ppp and iptables were moved to a physically separate gateway machine. Now the packets from outside are still forwarded on to the VM (that uses a virtio network interface), which responds, but the replies never make it out of the bridged network segment. Using tcpdump, the reply packets can be detected on the VM and the host server, but not on the gateway.

How can port-forwarding functionality best be restored in this case?

To be honest, this problem seems more like something to do with brctl than with QEMU/KVM, but as brctl appears to be the bridge of choice in these environments, surely someone here has already encountered this problem and found a fix for it. And as I'm rather stumped on this one, I'd be very grateful if someone were to share their solution here.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]