Answer the question
In order to leave comments, you need to log in
V
V
VA2016-04-05 15:13:30
VA, 2016-04-05 15:13:30
Port range not working, iptables, FORWARD?
Hi all!
I've been struggling with a problem for several days already (maybe not at all, this is not a problem for many)
There is CentOS 6.7 with a dedicated IP, let's say 7.7.7.7 (Prov Hetzner).
This system is running a virtual machine (qemu, libvirt) Windows Server 2012 R2.
интерфейс виртуалки: virbr0
интерфейс внешки: eth0
IP-адрес WS2012R2: 192.168.122.253Problem: I can't forward the range of ports (6601-6615) for tcp and udp to a virtual machine.
These ports are used by a cloud service (webserver, ftp, cms, etc.).
I check through the service, only 6603 works (config below).
Checked with zyxel. ru /openport/
Firewall on Windows is disabled
In general, forwarding of 80, 3389 ports was initially needed, everything is ok with them.
Like this
iptables -t nat -A PREROUTING --dst 7.7.7.7 -p tcp --dport 80 -j DNAT --to-destination 192.168.122.253
iptables -I FORWARD 1 -i eth0 -o virbr0 -d 192.168.122.253 -p tcp -m tcp --dport 80 -j ACCEPTfrom 3389 I did it through a script, put it in the hooks folder
after I did:
chmod +x /etc/libvirt/hooks/qemu
service libvirtd restartThe script itself, the external port for RDP made 8888 and 8889
#!/bin/bash
Guest_name=wsvm
Guest_ipaddr=192.168.122.253
Host_ipaddr=7.7.7.7
Host_port=( '8888' '8889' )
Guest_port=( '3389' '3389' )
length=$(( ${#Host_port[@]} - 1 ))
if [ "${1}" = "${Guest_name}" ]; then
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
iptables -t nat -D PREROUTING -d ${Host_ipaddr} -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
iptables -D FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT
done
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
iptables -t nat -A PREROUTING -d ${Host_ipaddr} -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
iptables -I FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT
done
fi
fiHere is iptables -nvL
Chain INPUT (policy ACCEPT 687 packets, 85560 bytes)
pkts bytes target prot opt in out source destination
114 7940 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
2 686 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
418 37969 ACCEPT tcp -- eth0 virbr0 0.0.0.0/0 192.168.122.253 tcp dpts:6601:6615
695 215K ACCEPT tcp -- eth0 virbr0 0.0.0.0/0 192.168.122.253 tcp dpt:80
0 0 ACCEPT udp -- eth0 virbr0 0.0.0.0/0 192.168.122.253 udp dpts:6601:6615
2 104 ACCEPT tcp -- * * 0.0.0.0/0 192.168.122.253 state NEW tcp dpt:3389
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.122.253 state NEW tcp dpt:3389
6762 8980K ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
8401 1861K ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
137 7660 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT tcp -- eth0 virbr0 0.0.0.0/0 192.168.122.253 tcp dpt:23
25 8050 ACCEPT tcp -- eth0 virbr0 0.0.0.0/0 192.168.122.253 tcp dpt:80
13 756 ACCEPT tcp -- eth0 virbr0 0.0.0.0/0 192.168.122.253 tcp dpts:6601:6612
0 0 ACCEPT tcp -- eth0 virbr0 0.0.0.0/0 192.168.122.253 tcp dpts:6601:6618
0 0 ACCEPT tcp -- eth0 virbr0 0.0.0.0/0 192.168.122.253 tcp dpt:80Here is iptables -L -t nat --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- anywhere CentOS-67-64-minimal tcp dpt:http to:192.168.122.253
2 DNAT udp -- anywhere CentOS-67-64-minimal udp dpts:6601:6615 to:192.168.122.253
3 DNAT tcp -- anywhere CentOS-67-64-minimal tcp dpts:mstmg-sstp:6615 to:192.168.122.253
4 DNAT udp -- anywhere CentOS-67-64-minimal udp dpt:6602 to:192.168.122.253
5 DNAT tcp -- anywhere CentOS-67-64-minimal tcp dpt:6602 to:192.168.122.253
6 DNAT tcp -- anywhere CentOS-67-64-minimal tcp dpt:telnet to:192.168.122.253
7 DNAT tcp -- anywhere CentOS-67-64-minimal tcp dpt:ddi-tcp-1 to:192.168.122.253:3389
8 DNAT tcp -- anywhere CentOS-67-64-minimal tcp dpt:ddi-tcp-2 to:192.168.122.253:3389
9 DNAT tcp -- anywhere CentOS-67-64-minimal tcp dpt:http to:192.168.122.253
10 DNAT udp -- anywhere CentOS-67-64-minimal udp dpts:6601:6615 to:192.168.122.253
11 DNAT tcp -- anywhere CentOS-67-64-minimal tcp dpts:mstmg-sstp:6615 to:192.168.122.253
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
2 MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
3 MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Similar questions
V
Valery Ivanov2014-11-30 16:35:49
Is it possible to implement port forwarding with two servers?
2Reply
A
Anton Piskunov2014-12-05 05:44:27
How to forward traffic to the server in the internal network?
1Reply
U
S
S
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question