Total Pageviews

Friday, January 7, 2011

Iptables Port Forwarding to the kvm Virtual Machines

Port forwarding using Iptables to the virtual machines running on virtual nat network on a kvm host

 I was  trying to access a windows virtual guest remote desktop  running on RHEL 6 kvm host using the different virtual nat network called windows (192.168.100.0)  from my fedora box which  is  completely on different subnet (10.69.69.0) but i don't know how to achieve it . 

  Then  strikes iptables,  a very powerfull firewall which handles packets based on the type of packet activity and enqueues the packet in one of its builtin ‘tables’. In Linux box, iptables is implemented in Linux kernel as some kernel modules.

Follow the below steps on your kvm host 

Flush the Forward Chain (Add appropriate rule to allow 3389 if you have any working FORWARD chain rule)

#iptables -F FORWARD

Verfiy rules are flushed on FORWARD chain using

#iptables -L -n

Write a NAT rule on Prerotuing chain to redirect 3389 traffic on host public ip to the virtual machines running on a  virtual nat network of 192.168.100.181

#iptables -t nat -A PREROUTING -p tcp -d 10.69.69.83 --dport 3389 -j DNAT --to-destination  192.168.100.181:3389

where

10.69.69.83 -- host kvm bridge
192.168.100.181  -- windows netowrk vm1 ip
3389 -- rdesktop port

Check the NAT table once you added the above command using

#iptables -L -n -t nat
 
Save the rule using the below commands

/etc/init.d/iptables save

Then restart iptables and libvirtd service

#service iptables restart

#service libvirtd restart

 Thats it Now you can access the remote desktop of the windows virtual machine  from any of your 10.69.69.0 network by pointing to 10.69.69.83 on 3389 port .

In case if you face any  connectivity issue , you can use the below commands to troubleshoot

You can looked at nf_conntrack proc file during a connection attempt

#cat /proc/net/nf_conntrack | grep 3389
ipv4     2 tcp      6 118 SYN_SENT src=4.79.142.206 dst=192.168.3.1 sport=43142 dport=3389 packets=6 bytes=264 [UNREPLIED] src=192.168.3.5 dst=4.79.142.206 sport=3389 dport=43142 packets=0 bytes=0 mark=0 secmark=0 zone=0 use=2

or

you can run simple tcpdump to monitor the traffic flow between the kvm host on port 3389

# tcpdump port 3389

2 comments:

Anonymous said...

I love you for this.

Anonymous said...

I love you too, flushing the FORWARD chain was my missing step....