Port Forward with built in NAT and PVE Firewall

Discussion in 'Proxmox VE: Networking and Firewall' started by alatteri, Feb 27, 2015.

  1. alatteri

    alatteri Member

    Joined:
    Feb 6, 2015
    Messages:
    48
    Likes Received:
    1
    Hi

    I have some VMs using the built-in NAT function. I need to open some ports from the host into the VMs. Using built in PVE Firewall I've enabled Datacenter FW with Accept/Accept rules. I have enabled Host firewall, no rules. I've enabled VM firewall and these are the rules.[OPTIONS]
    enable: 1
    dhcp: 0
    [RULES]
    IN ACCEPT -p tcp -dport 40100 -sport 40100

    But it is not working.

    Any suggestions, this is the last hurdle to overcome then I'm all set to replace VirtualBox with Proxmox.

    Screen Shot 2015-02-27 at 3.04.41 AM.png Screen Shot 2015-02-27 at 3.05.09 AM.png Screen Shot 2015-02-27 at 3.05.43 AM.png
     
    #1 alatteri, Feb 27, 2015
    Last edited: Feb 27, 2015
  2. Nemesiz

    Nemesiz Active Member

    Joined:
    Jan 16, 2009
    Messages:
    627
    Likes Received:
    35
    Its not for port forward. Its only to accept incoming connection from outside port 40100 to local port 40100
     
  3. alatteri

    alatteri Member

    Joined:
    Feb 6, 2015
    Messages:
    48
    Likes Received:
    1
    OK, so using built-in NAT and built-in PVE-Firewall, how do I port-forward from host-guest vm?
     
  4. alatteri

    alatteri Member

    Joined:
    Feb 6, 2015
    Messages:
    48
    Likes Received:
    1
    easiest thing is to use the --redir arg when using built in NAT. not firewall, iptables nonsense. Can't believe this isn't documented anywhere.
     
  5. JBB

    JBB Member

    Joined:
    Jan 23, 2015
    Messages:
    79
    Likes Received:
    1
    Can you elaborate on that? How do you use the --redir arg?
     
  6. alatteri

    alatteri Member

    Joined:
    Feb 6, 2015
    Messages:
    48
    Likes Received:
    1
    args: -redir tcp:HOSTPORT::GUESTPORT


    ‘hostfwd=[tcp|udp]:[hostaddr]:hostport-[guestaddr]:guestport’Redirect incoming TCP or UDP connections to the host port hostport to the guest IP address guestaddr on guest port guestport. If guestaddr is not specified, its value is x.x.x.15 (default first address given by the built-in DHCP server). By specifying hostaddr, the rule can be bound to a specific host interface. If no connection type is set, TCP is used. This option can be given multiple times.
    For example, to redirect host X11 connection from screen 1 to guest screen 0, use the following:
    [TABLE]
    [TR]
    [TD] [/TD]
    [TD]# on the host
    qemu -net user,hostfwd=tcp:127.0.0.1:6001-:6000 [...]
    # this host xterm should open in the guest X11 server
    xterm -display :1
    [/TD]
    [/TR]
    [/TABLE]
    To redirect telnet connections from host port 5555 to telnet port on the guest, use the following:
    [TABLE]
    [TR]
    [TD] [/TD]
    [TD]# on the host
    qemu -net user,hostfwd=tcp:5555::23 [...]
    telnet localhost 5555
    [/TD]
    [/TR]
    [/TABLE]
    Then when you use on the host telnet localhost 5555, you connect to the guest telnet server.
    ‘guestfwd=[tcp]:server:port-dev’Forward guest TCP connections to the IP address server on port port to the character device dev. This option can be given multiple times.
    Note: Legacy stand-alone options -tftp, -bootp, -smb and -redir are still processed and applied to -net user. Mixing them with the new configuration syntax gives undefined results. Their use for new applications is discouraged as they will be removed from future versions.




    [h=3]Forwarding ports to KVM clients[/h]If you create a VM under Ubuntu 11.10 using virt-manager the default is for it to use Usermode Networking. This doesn't require any setup, however the VM gets an IP address on a new subnet (10.0.2.1/24) that isn't available from the outside world - or even from the host!
    You can move to bridged networking but this requires a fair amount of system configuration work. Another, less well documented, way is to use the redirect functionality built into QEMU.
    The QEMU man page specifies -redir as follows:
    -redir [tcp|udp]:host-port:[guest-host]:guest-port When using the user mode network stack, redirect incoming TCP or UDP connections to the host port host-port to the guest guest-host on guest port guest-port. If guest-host is not specified, its value is 10.0.2.15 (default address given by the built-in DHCP server). For example, to redirect host X11 connection from screen 1 to guest screen 0, use the following: # on the host qemu -redir tcp:6001::6000 [...] # this host xterm should open in the guest X11 server xterm -display :1 To redirect telnet connections from host port 5555 to telnet port on the guest, use the following: # on the host qemu -redir tcp:5555::23 [...] telnet localhost 5555 Then when you use on the host CWtelnet localhost 5555, you connect to the guest telnet server. To use this with a virt-manager created virtual machine you need to manually edit the VM Config (I'm using QEMU usermode to manage my VMs so I have to specify a special connection string):
    virsh --connect qemu:///session edit Windows You then have to specify that this domain will use extra commands from a special namespace, so change the top attribute from:
    <domain type='kvm'> to:
    <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> Then add a some override parameters to be passed straight through to the QEMU command line. Here I'm forwarding port 1234 on the host to port 3389 on the VM (make this block immediately under the node):
    <qemu:commandline> <qemu:arg value='-redir'/> <qemu:arg value='tcp:1234::3389'/> </qemu:commandline> Save these changes, exit the editor and then start up the VM. You should be able to connect to localhost:1234 and be plumbed through to port 3389 on the VM.

     
    sdinet likes this.
  7. PMoxSudo

    PMoxSudo New Member

    Joined:
    Jan 27, 2016
    Messages:
    21
    Likes Received:
    0
    I'm sorry to resurrect that, but what's the situation with qemu redirect now?

    I've tried qemu -flags -options, but it seems it got replaced with qm(qemu shows no command found on bash as sudo).

    I also can't find a flag or option that goes with qm that would copy what the -redir flag should do.

    https://pve.proxmox.com/wiki/Manual:_qm

    No mentions of ports or directs.

    Also, while I managed to get one port forward done via /etc/network/interfaces post-up iptables rules, that's not really ideal as it seems I only get these new port forwarding rules applied after a reboot. sudo /etc/init.d/networking does nothing to apply to new rules in /etc/network/interfaces for me.

    pve version:4.1.5 installed over deb jessie.
     
  8. Styr

    Styr New Member

    Joined:
    Mar 8, 2016
    Messages:
    1
    Likes Received:
    0
    Actually, I've just tested that and it works fine, even though it's not really well documented, as you said.

    I created my NATed VM previously and needed to access it from the host which seemed far from easy at start but that thread just saved me.

    By using qm set -args <vmid> -args "--redir tcp:5555::22", I was able to add a port redirection from the host to the guest. Then I was able to connect to my VM from my host using ssh -p 5555 127.0.0.1

    Hope this helps.

    Best regards
     
  9. Influx

    Influx New Member

    Joined:
    Oct 8, 2016
    Messages:
    1
    Likes Received:
    0
    Having a hard time getting port forwarding for NAT hosts.

    Code:
    root@ns3036558:~# qm set 101 -args "--redir tcp:2222::22"
    update VM 101: -args --redir tcp:2222::22
    
    But end up getting:

    Code:
    root@ns3036558:~# ssh -l root -p 2222 127.0.0.1
    ssh: connect to host 127.0.0.1 port 2222: Connection refused
    
    I have made sure that IPtables/firewall rules are all turned off but still getting connection refused. Any help would be much appreciated.


    __EDIT__

    after re-booting the HOST this worked. Is there a way to make this redirect happen without rebooting the host machine?
     
    #9 Influx, Oct 8, 2016
    Last edited: Oct 8, 2016
  10. mizimao

    mizimao New Member

    Joined:
    Jun 16, 2012
    Messages:
    3
    Likes Received:
    0

    Thanks! I want to know "Is there a way to make this redirect happen without rebooting the host machine?" too
     
  11. vmunich

    vmunich New Member

    Joined:
    Sep 4, 2013
    Messages:
    5
    Likes Received:
    0
    Posting this as this comes first on Google and it's linked from the Wiki: You don't need to reboot the HOST. Just stop (don't restart) the VM, then start it and the redirection should be applied.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice