Iptables Port Forwarding to the kvm Virtual Machines

Port forwarding using Iptables to the virtual machines running on virtual nat network on a kvm host

 I was  trying to access a windows virtual guest remote desktop  running on RHEL 6 kvm host using the different virtual nat network called windows (192.168.100.0)  from my fedora box which  is  completely on different subnet (10.69.69.0) but i don't know how to achieve it . 

  Then  strikes iptables,  a very powerfull firewall which handles packets based on the type of packet activity and enqueues the packet in one of its builtin ‘tables’. In Linux box, iptables is implemented in Linux kernel as some kernel modules.

Follow the below steps on your kvm host 

Flush the Forward Chain (Add appropriate rule to allow 3389 if you have any working FORWARD chain rule)

#iptables -F FORWARD

Verfiy rules are flushed on FORWARD chain using

#iptables -L -n

Write a NAT rule on Prerotuing chain to redirect 3389 traffic on host public ip to the virtual machines running on a  virtual nat network of 192.168.100.181

#iptables -t nat -A PREROUTING -p tcp -d 10.69.69.83 --dport 3389 -j DNAT --to-destination  192.168.100.181:3389

where

10.69.69.83 -- host kvm bridge
192.168.100.181  -- windows netowrk vm1 ip
3389 -- rdesktop port

Check the NAT table once you added the above command using

#iptables -L -n -t nat
 

Save the rule using the below commands

/etc/init.d/iptables save

Then restart iptables and libvirtd service

#service iptables restart

#service libvirtd restart

 Thats it Now you can access the remote desktop of the windows virtual machine  from any of your 10.69.69.0 network by pointing to 10.69.69.83 on 3389 port .

In case if you face any  connectivity issue , you can use the below commands to troubleshoot

You can looked at nf_conntrack proc file during a connection attempt

#cat /proc/net/nf_conntrack | grep 3389
ipv4     2 tcp      6 118 SYN_SENT src=4.79.142.206 dst=192.168.3.1 sport=43142 dport=3389 packets=6 bytes=264 [UNREPLIED] src=192.168.3.5 dst=4.79.142.206 sport=3389 dport=43142 packets=0 bytes=0 mark=0 secmark=0 zone=0 use=2

or

you can run simple tcpdump to monitor the traffic flow between the kvm host on port 3389

# tcpdump port 3389

Setting up Bridge Networking on KVM Host

Guest (VM) networking in kvm

Guest (VM) networking in kvm is the same as in qemu,  Below will explain how to configure the most frequent types of network needed.

Why Public Bridge on Host?

If You want a simple way for your virtual machine to access to the host, to the internet or to resources available on your local network.

On Red Hat based distribution you can use the sysconfig script to set up the bridge networking .

Note: You need kvm up and running because we need a package called bridge-utils to set up a bridge , that will be installed  as dependency during the kvm installtion.

Your host system must be able to access the internet or the local network

In our example we are creating a bridge interface named kvmlan1 (you can use any name as per your environment) so go to

#cd /etc/sysconfig/network-scripts/

#vi ifcfg-kvmlan1

DEVICE=kvmlan1
TYPE=Bridge
ONBOOT=yes
IPADDR=x.y.z.1   <<--- replace with the host IP
NETMASK=255.255.255.0
GATEWAY=YOUR GATEWAY
DELAY=0
STP=no

Save it .

Now select the Phsicial Interface to tie to the above bridge . In our case we used eth0

#vi ifcfg-eth0

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
HWADDR=00:21:70:EA:E1:CF
BRIDGE=kvmlan1

Save it and Restart the Network Service

/etc/init.d/networking restart

And verify Your bridge is up

# brctl  show

bridge name    bridge id        STP enabled    interfaces
kvmlan1        8000.002170eae1cf    no        eth0
pan0        8000.000000000000    no       

 The bridge kvmlan1 should get the ip address static while the physical eth0 is left without ip address.  Now you can use this Bridge kvmlan1 , while creating a new virtual machine using virt tools like virt-manager .