Forward ports to KVM XP Guest

[dietmar]

Here is a configuration which should work for you. It does not modify the default configuration - vmbr0 is still bridged to eth0.

Instead we use a second bridge, called 'vmbr1'. It uses a private network '10.0.2.1/24'. All traffic is masqueraded using SNAT.

When you create a new VM simple select 'vmbr1' as bridge. Inside the VM use 10.0.2.1 as gateway.

auto eth0
iface eth0 inet static
 
auto vmbr0
iface vmbr0 inet static
        address 87.118.126.3
        netmask 255.255.255.0
        gateway 87.118.126.1
        bridge_ports none
        bridge_stp on
        bridge_fd 0
 
auto vmbr1
iface vmbr1 inet static
        address  10.0.2.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp on
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.0.2.0/24' -j SNAT --to-source 87.118.126.3
        post-down iptables -t nat -D POSTROUTING -s '10.0.2.0/24' -j SNAT --to-source 87.118.126.3

 

[jjrroberts]

PVE does not have a DHCP server by default. So who assigns those addresses inside the XP Guest??

I've no idea.

Here is a configuration which should work for you. It does not modify the default configuration - vmbr0 is still bridged to eth0.

Instead we use a second bridge, called 'vmbr1'. It uses a private network '10.0.2.1/24'. All traffic is masqueraded using SNAT.

When you create a new VM simple select 'vmbr1' as bridge. Inside the VM use 10.0.2.1 as gateway.

auto eth0
iface eth0 inet static
 
auto vmbr0
iface vmbr0 inet static
        address 87.118.126.3
        netmask 255.255.255.0
        gateway 87.118.126.1
        bridge_ports eth0
        bridge_stp on
        bridge_fd 0
 
auto vmbr1
iface vmbr1 inet static
        address  10.0.2.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp on
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.0.2.0/24' -j SNAT --to-source 87.118.126.3
        post-down iptables -t nat -D POSTROUTING -s '10.0.2.0/24' -j SNAT --to-source 87.118.126.3

thanks again, will try that this morning.

 

[jjrroberts]

auto eth0
iface eth0 inet static
 
auto vmbr0
iface vmbr0 inet static
        address 87.118.126.3
        netmask 255.255.255.0
        gateway 87.118.126.1
        bridge_ports none
        bridge_stp on
        bridge_fd 0
 
auto vmbr1
iface vmbr1 inet static
        address  10.0.2.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp on
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.0.2.0/24' -j SNAT --to-source 87.118.126.3
        post-down iptables -t nat -D POSTROUTING -s '10.0.2.0/24' -j SNAT --to-source 87.118.126.3

This configuration broke networking i'm afraid. I'll need to log a ticket with my host to revert the interfaces file..

Should all of the bridge_ports parameters be "none"? Can you pls double check what you posted?

 

[dietmar]

Should all of the bridge_ports parameters be "none"? Can you pls double check what you posted?

No, sorry. As describeb in the text eth0/vmbr0 is not modified. i.e. vmbr0 uses eth0 - I corrected that in my previous post.

- Dietmar

 

[jjrroberts]

whoops.. Should have trusted my instincts there before making the change!

Oh well, will retry once i get access to the server again...

 

[jjrroberts]

brilliant, this configuration now works! Thanks alot for your help

 

[dietmar]

I am not 100% sure about the NAT rules - maybe you should add '-o vmbr0' - only do NAT if packets are really sent out.

post-up iptables -t nat -A POSTROUTING -s '10.0.2.0/24' -o vmbr0 -j SNAT --to-source 87.118.126.3
post-down iptables -t nat -D POSTROUTING -s '10.0.2.0/24' -o vmbr0 -j SNAT --to-source 87.118.126.3

 

[PatrickV]

-redir option

When starting qemu guests, it seems like the -redir option would do whats needed, how can i pass that to the guest on startup? Is there somewhere configurable that i could add these options?

I have done some tests with Proxmox VE installing a WinXP KVM VM.
The IP address (10.0.2.15) is automatically assigned to my VM (with bridge NAT in Virtual machine configuration>Hardware>Ethernet devices ).
I guess there is a DHCP server embedded in the QEMU emulator:
http://bellard.org/qemu/qemu-doc.html#SEC30
I too didn't find out how to add a '-redir' option to a KVM VM (to redirect TCP connections from the host) using the web UI.
So I have done something manually adding:

  redir: tcp:3389:10.0.2.15:3389 (my VM ip and remote desktop port)

to line 10 of /etc/qemu-server/101.conf

  redir => 'string',

to line 125 of /usr/share/perl5/PVE/QemuServer.pm

  push @$cmd, '-redir', $conf->{redir} if $conf->{redir};

to line 1274 of /usr/share/perl5/PVE/QemuServer.pm

It's certainly not the best way to do this but it seems to work (at least, for one VM) : I can remote desktop my WinXP VM using the host IP address.
Something delivered as standard (if not already done !) would be nice: the '-redir' option might be useful for doing some tests or checks.

But your configuration, Dietmar, is certainly the best option.
It works great for me too, from the VM to the outside world, and the other way around by adding

  iptables -t nat -A PREROUTING -p tcp -d 192.168.0.51 (my host ip) --dport 3389 -j DNAT --to-destination 10.0.2.15 (my VM ip)

 

[jjrroberts]

The IP address (10.0.2.15) is automatically assigned to my VM (with bridge NAT in Virtual machine configuration>Hardware>Ethernet devices ).
I guess there is a DHCP server embedded in the QEMU emulator:
http://bellard.org/qemu/qemu-doc.html#SEC30

I knew i wasn't assigning that IP to the guest

I've been using these 2 commands for port forwarding, working flawlessly.

iptables -A PREROUTING -t nat -p tcp --dport 32105 -j DNAT --to-destination 10.0.2.105:32105

iptables -I FORWARD 1 -d 10.0.2.105 -p tcp --dport 32105 -j ACCEPT

 

[dietmar]

I knew i wasn't assigning that IP to the guest

There is no kvm dhcp server when you use bridge networking!

 

[kobuki]

I knew i wasn't assigning that IP to the guest

I've been using these 2 commands for port forwarding, working flawlessly.

iptables -A PREROUTING -t nat -p tcp --dport 32105 -j DNAT --to-destination 10.0.2.105:32105

iptables -I FORWARD 1 -d 10.0.2.105 -p tcp --dport 32105 -j ACCEPT

This might be an old thread but I have similar problems. I've used the same rules to set up a forwarding to a KVM Win7 VPS, but it refuses to work. I have 2 bridges, one for the public internet (vmbr0) and another to my own LAN (vmbr1). I'm trying to forward public_ip:33894 -> private_ip:3389 - public_ip and private_ip are the HN public IP, private LAN IP, respectively. The Win7 VPS is bridged to vmbr1. Public and LAN networks are separated physically (different switches). Your rules seem logical, and I have IP forwarding enabled in kernel. Connection is fine between the HN and the VPS, and between other LAN boxes and the VPS.

Could you help with what to check?

# pveversion -v
pve-manager: 1.6-2 (pve-manager/1.6/5087)
running kernel: 2.6.32-4-pve
proxmox-ve-2.6.32: 1.6-19
pve-kernel-2.6.32-4-pve: 2.6.32-19
qemu-server: 1.1-18
pve-firmware: 1.0-8
libpve-storage-perl: 1.0-14
vncterm: 0.9-2
vzctl: 3.0.24-1pve4
vzdump: 1.2-7
vzprocps: 2.0.11-1dso2
vzquota: 3.0.11-1
pve-qemu-kvm: 0.12.5-1
ksm-control-daemon: 1.0-4

 

[kobuki]

OK, I seem to have solved the problem, at least partially. I changed the virtual adapter type to e1000 and now the port forwarding is working as expected. I want to use the virtio adapter for performance reasons. I'm pretty clueless as to what might go wrong, is it advisable to use an older virtio ethernet driver? Could it help?

 

[kobuki]

Anyone can help with using virtio networking in such scenario? I can provide more info if needed.