[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-discuss] iptables rules for nested guest tunelling?

From: Jason Vas Dias
Subject: [Qemu-discuss] iptables rules for nested guest tunelling?
Date: Sat, 20 Oct 2018 16:33:30 +0000
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Hi -

 I am trying to find the best set of rules to use 'tun'
 networking with qemu-system-$CPU - ie. I am using :

  $ qemu-system-$CPU ... -net tun -net nic

 And I have an /etc/qemu-ifup script installed (attached),
 which I found online, and modified only the
 '# Network Information:' section of.

 I use the iptables set up, where $IP_EXT is the EXTERNAL
 IP address configured on the 'eth0' interface by HOST
 DHCP, and I have configured the GUEST nic IP manually
 (statically) to be :
 $ iptables -t nat -A PREROUTING  -i eth0 -d $IP_EXT -j DNAT --to-destination
 $ iptables -t nat -A POSTROUTING -o eth0 -s -j SNAT --to-source 
 $ iptables -I FORWARD -m state -d --state 

 $ echo 1 > /proc/sys/net/ipv4/ip_forward

 My problem here is that I then lose the ability to access ports on the HOST's
 $IP_EXT from the external internet (all incoming packets are diverted
 to the guest) and I am asking for advice as to precisely why ; ie. I know
 what happens, the rules forward incoming SSH requests to the guest,
 which might not be listening or running eg. sshd, but I thought this should
 not happen, because I thought:
   iptables -I FORWARD -m state -d \
 would only make replies to sockets which originate on the guest
 be translated into requests to the guest address; but what is
 happening is that unsolicited incoming requests which bear no
 relation to an existing guest socket get translated into requests
 to the guest - this is not what I want - I just want the guest
 to be able to make OUTGOING requests to eg. named (port 63) and
 HTTP (port 80), and have INCOMING REPLIES (only) to those requests
 translated into guest address packets.

 Please can anyone advise how to achieve this ?

 I'd like to be able to just use the tunnel interface,
 which is created OK, and NAT rules, like those above,
 to transfer packets from guest to outside world so that
 it gets replies,
 but still have all incoming requests that are not responses
 to guest packets not be redirected to guest.

 I can run guests on my Cloud hosts which have internet access,
 but then I don't want to lose SSH access to them :-)

 Any advice gratefully received,
 Thanks & Best regards,

Jason Vas Dias

Here is the /etc/qemu-ifup file:

Attachment: qemu-ifup
Description: /etc/qemu-ifup

reply via email to

[Prev in Thread] Current Thread [Next in Thread]