[SOLVED] Forwarding internet traffic (port 22 and port 80) to a KVM guest

Installing and Using OpenWrt Network and Wireless Configuration
7

Ok, I added /etc/libvirt/hooks/network as shown in your reply. I can see from iptables-save that both the the -i and -o REJECT rules were removed, but it didn't make any difference in behavior.

I've now fully re-tested this in three basic combinations, as described below. Except for problems forwarding port 80 and port 22 off the internet to my guest VM, everything seems to be working as expected.

Are there other diagnostics I can provide to help debug this further?

I haven't (yet) figured out how to watch what's happening when traffic hits the internet-facing port 22 or port 80. It seems like that's where something is getting lost...?

The three combinations I re-tested were:

  • Wired network - eth0 on 192.168.1.41, virsh network with <forward mode='route'/>
  • Wired network - eth0 on 192.168.1.41, virsh network with <forward mode="nat" dev="eth0"/>
  • Wireless Network - wlan0 on 192.168.1.41, virsh network with <forward mode='route'/>

Note the change from 192.168.1.40 (as in my original post) and 192.168.1.41 in this setup.

In all cases:

  • Hosts on 192.168.1 have connectivity to hosts on 192.168.1
  • Hosts on 192.168.1 have connectivity to hosts on 192.168.2
  • Hosts on 192.168.1 have internet connectivity
  • Hosts on 192.168.2 have connectivity to hosts on 192.168.1
  • Hosts on 192.168.2 have connectivity to hosts on 192.168.2
  • Hosts on 192.168.2 have internet connectivity
  • Router can successfully ping 192.168.2.2, nc 192.162.2.2 80 and ssh 192.168.2.2 -p 22
  • Router can successfully ping 192.168.1.41, nc 192.162.1.41 8080 and ssh 192.168.1.41 -p 2222
  • Internet traffic is NOT forwarded through regardless of whether I set up port forwards in OpenWrt to 192.168.2.2 or 192.168.1.41

For reference, these are the current libvirt hooks that are in place on the hypervisor:

#!/bin/bash
# /etc/libvirt/hooks/network

if [ "$2" = "started" ]
then
   iptables -D "FORWARD" -i "virbr1" -j "REJECT" --reject-with "icmp-port-unreachable"
   iptables -D "FORWARD" -o "virbr1" -j "REJECT" --reject-with "icmp-port-unreachable"
fi

exit 0

#!/bin/sh
# /etc/libvirt/hooks/qemu

if [ "$1" = "mercury" ]; then

   if [ "$2" = start ]; then

      # Forward traffic from sol to mercury, used for a port forward on the router
      iptables -I FORWARD -o virbr1 -d 192.168.2.2 -j ACCEPT
      iptables -t nat -I PREROUTING -p tcp --dport 8080 -j DNAT --to 192.168.2.2:80
      iptables -t nat -A OUTPUT -p tcp --dport 8080 -j DNAT --to 192.168.2.2:80
      iptables -t nat -I PREROUTING -p tcp --dport 2222 -j DNAT --to 192.168.2.2:22
      iptables -t nat -A OUTPUT -p tcp --dport 2222 -j DNAT --to 192.168.2.2:22

   elif [ "$2" = stopped ]; then

      # Remove the forwarding rules
      iptables -D FORWARD -o virbr1 -d 192.168.2.2 -j ACCEPT
      iptables -t nat -D PREROUTING -p tcp --dport 8080 -j DNAT --to 192.168.2.2:80
      iptables -t nat -D OUTPUT -p tcp --dport 8080 -j DNAT --to 192.168.2.2:80
      iptables -t nat -D PREROUTING -p tcp --dport 2222 -j DNAT --to 192.168.2.2:22
      iptables -t nat -D OUTPUT -p tcp --dport 2222 -j DNAT --to 192.168.2.2:22

  fi

fi

exit 0

This is the current result from iptables-save on the hypervisor:

# Generated by iptables-save v1.6.0 on Sun Oct 14 16:33:10 2018
*nat
:PREROUTING ACCEPT [169:17138]
:INPUT ACCEPT [12:1586]
:OUTPUT ACCEPT [44:3037]
:POSTROUTING ACCEPT [173:11846]
-A PREROUTING -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.2.2:22
-A PREROUTING -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.2.2:80
-A OUTPUT -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.2.2:80
-A OUTPUT -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.2.2:22
COMMIT
# Completed on Sun Oct 14 16:33:10 2018
# Generated by iptables-save v1.6.0 on Sun Oct 14 16:33:10 2018
*mangle
:PREROUTING ACCEPT [2074:242931]
:INPUT ACCEPT [335:37644]
:FORWARD ACCEPT [1702:198004]
:OUTPUT ACCEPT [287:70349]
:POSTROUTING ACCEPT [1989:268353]
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Oct 14 16:33:10 2018
# Generated by iptables-save v1.6.0 on Sun Oct 14 16:33:10 2018
*filter
:INPUT ACCEPT [336:37684]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [287:71063]
-A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.2.2/32 -o virbr1 -j ACCEPT
-A FORWARD -d 192.168.2.0/24 -o virbr1 -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Sun Oct 14 16:33:10 2018