From 5d6cd1057242c9022535cfc2074552482bb17001 Mon Sep 17 00:00:00 2001 From: Pierre Hubert Date: Tue, 12 Dec 2023 00:34:21 +0100 Subject: [PATCH] Investigate port forwarding --- README.md | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) diff --git a/README.md b/README.md index edd344d..b4d0ec1 100644 --- a/README.md +++ b/README.md @@ -23,4 +23,109 @@ sudo adduser $USER kvm ## Production requirements +### TODO TODO + +### Manual port forwarding without a LibVirt HOOK +* Allow ip forwarding in the kernel: edit `/etc/sysctl.conf` and uncomment the following line: + +``` +net.ipv4.ip_forward=1 +``` + +* To reload `sysctl` without reboot: + +``` +sudo sysctl -p /etc/sysctl.conf +``` + +* WIP + + +``` +export UP_DEV=$(ip a | grep "192.168.1." -B 2 | head -n 1 | cut -d ':' -f 2 | + tr -d ' ') +export LOCAL_DEV=$(ip a | grep "192.168.25." -B 2 | head -n 1 | cut -d ':' -f 2 | tr -d ' ') +echo "$UP_DEV -> $LOCAL_DEV" + +GUEST_IP=192.168.25.189 +HOST_PORT=8085 +GUEST_PORT=8085 + +# connections from outside +sudo iptables -I FORWARD -o $LOCAL_DEV -d $GUEST_IP -j ACCEPT +sudo iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT + +# TODO: try to ignore Masquerade local subnet +sudo iptables -I FORWARD -o $LOCAL_DEV -d $GUEST_IP -j ACCEPT +sudo iptables -t nat -A POSTROUTING -s 192.168.25.0/24 -j MASQUERADE +sudo iptables -A FORWARD -o $LOCAL_DEV -m state --state RELATED,ESTABLISHED -j ACCEPT +sudo iptables -A FORWARD -i $LOCAL_DEV -o $UP_DEV -j ACCEPT +sudo iptables -A FORWARD -i $LOCAL_DEV -o lo -j ACCEPT + +``` + + + +### Manual port forwarding with a LibVirt HOOK +* Allow ip forwarding in the kernel: edit `/etc/sysctl.conf` and uncomment the following line: + +``` +net.ipv4.ip_forward=1 +``` + +* To reload `sysctl` without reboot: + +``` +sudo sysctl -p /etc/sysctl.conf +``` + +* Get the following information, using the web ui or `virsh`: + * The name of the target guest + * The IP and port of the guest who will receive the connection + * The port of the host that will be forwarded to the guest + +* Stop the guest if its running, either using `virsh` or from the web ui + +* Create or append the following content to the file `/etc/libvirt/hooks/qemu`: + +```bash +#!/bin/bash + +# IMPORTANT: Change the "VM NAME" string to match your actual VM Name. +# In order to create rules to other VMs, just duplicate the below block and configure +# it accordingly. +if [ "${1}" = "VM NAME" ]; then + + # Update the following variables to fit your setup + GUEST_IP= + GUEST_PORT= + HOST_PORT= + + if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then + /sbin/iptables -D FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT + /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT + fi + if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then + /sbin/iptables -I FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT + /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT + fi +fi +``` + +* Make the hook executable: + +```bash +sudo chmod +x /etc/libvirt/hooks/qemu +``` + +* Restart the `libvirtd` service: + +```bash +sudo systemctl restart libvirtd.service +``` + +* Start the guest + + +> Note: this guide is based on https://wiki.libvirt.org/Networking.html \ No newline at end of file