Port Forward with built in NAT and PVE Firewall

alatteri

Renowned Member
Hi

I have some VMs using the built-in NAT function. I need to open some ports from the host into the VMs. Using built in PVE Firewall I've enabled Datacenter FW with Accept/Accept rules. I have enabled Host firewall, no rules. I've enabled VM firewall and these are the rules.[OPTIONS]
enable: 1
dhcp: 0
[RULES]
IN ACCEPT -p tcp -dport 40100 -sport 40100

But it is not working.

Any suggestions, this is the last hurdle to overcome then I'm all set to replace VirtualBox with Proxmox.

Screen Shot 2015-02-27 at 3.04.41 AM.pngScreen Shot 2015-02-27 at 3.05.09 AM.pngScreen Shot 2015-02-27 at 3.05.43 AM.png
 
Last edited:
args: -redir tcp:HOSTPORT::GUESTPORT


‘hostfwd=[tcp|udp]:[hostaddr]:hostport-[guestaddr]:guestport’Redirect incoming TCP or UDP connections to the host port hostport to the guest IP address guestaddr on guest port guestport. If guestaddr is not specified, its value is x.x.x.15 (default first address given by the built-in DHCP server). By specifying hostaddr, the rule can be bound to a specific host interface. If no connection type is set, TCP is used. This option can be given multiple times.
For example, to redirect host X11 connection from screen 1 to guest screen 0, use the following:
# on the host
qemu -net user,hostfwd=tcp:127.0.0.1:6001-:6000 [...]
# this host xterm should open in the guest X11 server
xterm -display :1
To redirect telnet connections from host port 5555 to telnet port on the guest, use the following:
# on the host
qemu -net user,hostfwd=tcp:5555::23 [...]
telnet localhost 5555
Then when you use on the host telnet localhost 5555, you connect to the guest telnet server.
‘guestfwd=[tcp]:server:port-dev’Forward guest TCP connections to the IP address server on port port to the character device dev. This option can be given multiple times.
Note: Legacy stand-alone options -tftp, -bootp, -smb and -redir are still processed and applied to -net user. Mixing them with the new configuration syntax gives undefined results. Their use for new applications is discouraged as they will be removed from future versions.




[h=3]Forwarding ports to KVM clients[/h]If you create a VM under Ubuntu 11.10 using virt-manager the default is for it to use Usermode Networking. This doesn't require any setup, however the VM gets an IP address on a new subnet (10.0.2.1/24) that isn't available from the outside world - or even from the host!
You can move to bridged networking but this requires a fair amount of system configuration work. Another, less well documented, way is to use the redirect functionality built into QEMU.
The QEMU man page specifies -redir as follows:
-redir [tcp|udp]:host-port:[guest-host]:guest-port When using the user mode network stack, redirect incoming TCP or UDP connections to the host port host-port to the guest guest-host on guest port guest-port. If guest-host is not specified, its value is 10.0.2.15 (default address given by the built-in DHCP server). For example, to redirect host X11 connection from screen 1 to guest screen 0, use the following: # on the host qemu -redir tcp:6001::6000 [...] # this host xterm should open in the guest X11 server xterm -display :1 To redirect telnet connections from host port 5555 to telnet port on the guest, use the following: # on the host qemu -redir tcp:5555::23 [...] telnet localhost 5555 Then when you use on the host CWtelnet localhost 5555, you connect to the guest telnet server. To use this with a virt-manager created virtual machine you need to manually edit the VM Config (I'm using QEMU usermode to manage my VMs so I have to specify a special connection string):
virsh --connect qemu:///session edit Windows You then have to specify that this domain will use extra commands from a special namespace, so change the top attribute from:
<domain type='kvm'> to:
<domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> Then add a some override parameters to be passed straight through to the QEMU command line. Here I'm forwarding port 1234 on the host to port 3389 on the VM (make this block immediately under the node):
<qemu:commandline> <qemu:arg value='-redir'/> <qemu:arg value='tcp:1234::3389'/> </qemu:commandline> Save these changes, exit the editor and then start up the VM. You should be able to connect to localhost:1234 and be plumbed through to port 3389 on the VM.

 
  • Like
Reactions: sdinet
I'm sorry to resurrect that, but what's the situation with qemu redirect now?

I've tried qemu -flags -options, but it seems it got replaced with qm(qemu shows no command found on bash as sudo).

I also can't find a flag or option that goes with qm that would copy what the -redir flag should do.

https://pve.proxmox.com/wiki/Manual:_qm

No mentions of ports or directs.

Also, while I managed to get one port forward done via /etc/network/interfaces post-up iptables rules, that's not really ideal as it seems I only get these new port forwarding rules applied after a reboot. sudo /etc/init.d/networking does nothing to apply to new rules in /etc/network/interfaces for me.

pve version:4.1.5 installed over deb jessie.
args: -redir tcp:HOSTPORT::GUESTPORT


‘hostfwd=[tcp|udp]:[hostaddr]:hostport-[guestaddr]:guestport’Redirect incoming TCP or UDP connections to the host port hostport to the guest IP address guestaddr on guest port guestport. If guestaddr is not specified, its value is x.x.x.15 (default first address given by the built-in DHCP server). By specifying hostaddr, the rule can be bound to a specific host interface. If no connection type is set, TCP is used. This option can be given multiple times.
For example, to redirect host X11 connection from screen 1 to guest screen 0, use the following:
# on the host
qemu -net user,hostfwd=tcp:127.0.0.1:6001-:6000 [...]
# this host xterm should open in the guest X11 server
xterm -display :1
To redirect telnet connections from host port 5555 to telnet port on the guest, use the following:
# on the host
qemu -net user,hostfwd=tcp:5555::23 [...]
telnet localhost 5555
Then when you use on the host telnet localhost 5555, you connect to the guest telnet server.
‘guestfwd=[tcp]:server:port-dev’Forward guest TCP connections to the IP address server on port port to the character device dev. This option can be given multiple times.
Note: Legacy stand-alone options -tftp, -bootp, -smb and -redir are still processed and applied to -net user. Mixing them with the new configuration syntax gives undefined results. Their use for new applications is discouraged as they will be removed from future versions.




[h=3]Forwarding ports to KVM clients[/h]If you create a VM under Ubuntu 11.10 using virt-manager the default is for it to use Usermode Networking. This doesn't require any setup, however the VM gets an IP address on a new subnet (10.0.2.1/24) that isn't available from the outside world - or even from the host!
You can move to bridged networking but this requires a fair amount of system configuration work. Another, less well documented, way is to use the redirect functionality built into QEMU.
The QEMU man page specifies -redir as follows:
-redir [tcp|udp]:host-port:[guest-host]:guest-port When using the user mode network stack, redirect incoming TCP or UDP connections to the host port host-port to the guest guest-host on guest port guest-port. If guest-host is not specified, its value is 10.0.2.15 (default address given by the built-in DHCP server). For example, to redirect host X11 connection from screen 1 to guest screen 0, use the following: # on the host qemu -redir tcp:6001::6000 [...] # this host xterm should open in the guest X11 server xterm -display :1 To redirect telnet connections from host port 5555 to telnet port on the guest, use the following: # on the host qemu -redir tcp:5555::23 [...] telnet localhost 5555 Then when you use on the host CWtelnet localhost 5555, you connect to the guest telnet server. To use this with a virt-manager created virtual machine you need to manually edit the VM Config (I'm using QEMU usermode to manage my VMs so I have to specify a special connection string):
virsh --connect qemu:///session edit Windows You then have to specify that this domain will use extra commands from a special namespace, so change the top attribute from:
<domain type='kvm'> to:
<domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'> Then add a some override parameters to be passed straight through to the QEMU command line. Here I'm forwarding port 1234 on the host to port 3389 on the VM (make this block immediately under the node):
<qemu:commandline> <qemu:arg value='-redir'/> <qemu:arg value='tcp:1234::3389'/> </qemu:commandline> Save these changes, exit the editor and then start up the VM. You should be able to connect to localhost:1234 and be plumbed through to port 3389 on the VM.
 
Actually, I've just tested that and it works fine, even though it's not really well documented, as you said.

I created my NATed VM previously and needed to access it from the host which seemed far from easy at start but that thread just saved me.

By using qm set -args <vmid> -args "--redir tcp:5555::22", I was able to add a port redirection from the host to the guest. Then I was able to connect to my VM from my host using ssh -p 5555 127.0.0.1

Hope this helps.

Best regards
 
Having a hard time getting port forwarding for NAT hosts.

Code:
root@ns3036558:~# qm set 101 -args "--redir tcp:2222::22"
update VM 101: -args --redir tcp:2222::22

But end up getting:

Code:
root@ns3036558:~# ssh -l root -p 2222 127.0.0.1
ssh: connect to host 127.0.0.1 port 2222: Connection refused

I have made sure that IPtables/firewall rules are all turned off but still getting connection refused. Any help would be much appreciated.


__EDIT__

after re-booting the HOST this worked. Is there a way to make this redirect happen without rebooting the host machine?
 
Last edited:
Having a hard time getting port forwarding for NAT hosts.

Code:
root@ns3036558:~# qm set 101 -args "--redir tcp:2222::22"
update VM 101: -args --redir tcp:2222::22

But end up getting:

Code:
root@ns3036558:~# ssh -l root -p 2222 127.0.0.1
ssh: connect to host 127.0.0.1 port 2222: Connection refused

I have made sure that IPtables/firewall rules are all turned off but still getting connection refused. Any help would be much appreciated.


__EDIT__

after re-booting the HOST this worked. Is there a way to make this redirect happen without rebooting the host machine?


Thanks! I want to know "Is there a way to make this redirect happen without rebooting the host machine?" too
 
Having a hard time getting port forwarding for NAT hosts.

Code:
root@ns3036558:~# qm set 101 -args "--redir tcp:2222::22"
update VM 101: -args --redir tcp:2222::22

But end up getting:

Code:
root@ns3036558:~# ssh -l root -p 2222 127.0.0.1
ssh: connect to host 127.0.0.1 port 2222: Connection refused

I have made sure that IPtables/firewall rules are all turned off but still getting connection refused. Any help would be much appreciated.


__EDIT__

after re-booting the HOST this worked. Is there a way to make this redirect happen without rebooting the host machine?

Posting this as this comes first on Google and it's linked from the Wiki: You don't need to reboot the HOST. Just stop (don't restart) the VM, then start it and the redirection should be applied.