Discussion:
[Qemu-discuss] iptables rules for nested guest tunelling?
Jason Vas Dias
2018-10-20 16:33:30 UTC
Permalink
Hi -

I am trying to find the best set of rules to use 'tun'
networking with qemu-system-$CPU - ie. I am using :

$ qemu-system-$CPU ... -net tun -net nic

And I have an /etc/qemu-ifup script installed (attached),
which I found online, and modified only the
'# Network Information:' section of.

I use the iptables set up, where $IP_EXT is the EXTERNAL
IP address configured on the 'eth0' interface by HOST
DHCP, and I have configured the GUEST nic IP manually
(statically) to be 192.168.64.2/24 :

$ iptables -t nat -A PREROUTING -i eth0 -d $IP_EXT -j DNAT --to-destination 192.168.64.2
$ iptables -t nat -A POSTROUTING -o eth0 -s 192.168.64.2 -j SNAT --to-source $IP_EXT
$ iptables -I FORWARD -m state -d 192.168.64.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT

$ echo 1 > /proc/sys/net/ipv4/ip_forward

My problem here is that I then lose the ability to access ports on the HOST's
$IP_EXT from the external internet (all incoming packets are diverted
to the guest) and I am asking for advice as to precisely why ; ie. I know
what happens, the rules forward incoming SSH requests to the guest,
which might not be listening or running eg. sshd, but I thought this should
not happen, because I thought:
iptables -I FORWARD -m state -d 192.168.64.0/24 \
--state NEW,RELATED,ESTABLISHED -j ACCEPT
would only make replies to sockets which originate on the guest
be translated into requests to the guest address; but what is
happening is that unsolicited incoming requests which bear no
relation to an existing guest socket get translated into requests
to the guest - this is not what I want - I just want the guest
to be able to make OUTGOING requests to eg. named (port 63) and
HTTP (port 80), and have INCOMING REPLIES (only) to those requests
translated into guest address packets.

Please can anyone advise how to achieve this ?

I'd like to be able to just use the tunnel interface,
which is created OK, and NAT rules, like those above,
to transfer packets from guest to outside world so that
it gets replies,
but still have all incoming requests that are not responses
to guest packets not be redirected to guest.

I can run guests on my Cloud hosts which have internet access,
but then I don't want to lose SSH access to them :-)

Any advice gratefully received,

Thanks & Best regards,

Jason Vas Dias

Here is the /etc/qemu-ifup file:
Jason Vas Dias
2018-10-20 17:06:30 UTC
Permalink
Aha!
I see now the script is creating the correct rules, and I don't
need to add any extra ones - they were the problem - sorry!
Answer: just use the rules in the script.
Thanks, all the best,
Jason
Post by Jason Vas Dias
Hi -
I am trying to find the best set of rules to use 'tun'
$ qemu-system-$CPU ... -net tun -net nic
And I have an /etc/qemu-ifup script installed (attached),
which I found online, and modified only the
'# Network Information:' section of.
I use the iptables set up, where $IP_EXT is the EXTERNAL
IP address configured on the 'eth0' interface by HOST
DHCP, and I have configured the GUEST nic IP manually
$ iptables -t nat -A PREROUTING -i eth0 -d $IP_EXT -j DNAT
--to-destination 192.168.64.2
$ iptables -t nat -A POSTROUTING -o eth0 -s 192.168.64.2 -j SNAT --to-source $IP_EXT
$ iptables -I FORWARD -m state -d 192.168.64.0/24 --state
NEW,RELATED,ESTABLISHED -j ACCEPT
$ echo 1 > /proc/sys/net/ipv4/ip_forward
My problem here is that I then lose the ability to access ports on the HOST's
$IP_EXT from the external internet (all incoming packets are diverted
to the guest) and I am asking for advice as to precisely why ; ie. I know
what happens, the rules forward incoming SSH requests to the guest,
which might not be listening or running eg. sshd, but I thought this should
iptables -I FORWARD -m state -d 192.168.64.0/24 \
--state NEW,RELATED,ESTABLISHED -j ACCEPT
would only make replies to sockets which originate on the guest
be translated into requests to the guest address; but what is
happening is that unsolicited incoming requests which bear no
relation to an existing guest socket get translated into requests
to the guest - this is not what I want - I just want the guest
to be able to make OUTGOING requests to eg. named (port 63) and
HTTP (port 80), and have INCOMING REPLIES (only) to those requests
translated into guest address packets.
Please can anyone advise how to achieve this ?
I'd like to be able to just use the tunnel interface,
which is created OK, and NAT rules, like those above,
to transfer packets from guest to outside world so that
it gets replies,
but still have all incoming requests that are not responses
to guest packets not be redirected to guest.
I can run guests on my Cloud hosts which have internet access,
but then I don't want to lose SSH access to them :-)
Any advice gratefully received,
Thanks & Best regards,
Jason Vas Dias
Loading...