Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
portforwarding to kvm vm
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1073

PostPosted: Thu Jan 16, 2020 8:12 pm    Post subject: portforwarding to kvm vm Reply with quote

I have found the following hook script that can be used to forward an external access to kvm vm.
Code:
#!/bin/bash

# IMPORTANT: Change the "VM NAME" string to match your actual VM Name.
# In order to create rules to other VMs, just duplicate the below block and configure
# it accordingly.
if [ "${1}" = "vm_name" ]; then

   # Update the following variables to fit your setup
   GUEST_IP=192.168.57.89
   GUEST_PORT=9090
   HOST_PORT=9099

   if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
        /sbin/iptables -D FORWARD -o virbr0 -d  $GUEST_IP -j ACCEPT
        /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
   fi
   if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
        /sbin/iptables -I FORWARD -o virbr0 -d  $GUEST_IP -j ACCEPT
        /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
   fi
fi

Only cert. based ssh access to the kvm host is allowed. So I use
ssh user@hostip -L 9090:hostip:9090
to access the host's admin management site by https://localhost:9090
This works fine:
debug1: Connection to port 9090 forwarding to hostip port 9090 requested.
debug1: channel 2: new [direct-tcpip]

What I'd like to accomplish is to create an other tunnel
ssh user@hostip -L 9099:hostip:9099

to be able to reach https://vm_name:9090 by browsing to https://localhost:9099 but I get:
channel 2: open failed: connect failed: Connection refused
using verbose on ssh-ing I see:

debug1: channel 2: free: direct-tcpip: listening port 9099 for hostip port 9099, connect from 127.0.0.1 port 44866 to 127.0.0.1 port 9099, nchannels 3

How can I fix this bold formatted port above (which changes to 44868,44870,44872,... on every access try), so that I can modify $HOST_PORT in the mentioned hook script, or is there another way to accomplish my task?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15334

PostPosted: Fri Jan 17, 2020 2:15 am    Post subject: Re: portforwarding to kvm vm Reply with quote

Elleni wrote:
Code:
#!/bin/bash
Missing set -e. This may leave the rules in an inconsistent state if you get a failure partway through making a change.
Elleni wrote:
Code:
# IMPORTANT: Change the "VM NAME" string to match your actual VM Name.
# In order to create rules to other VMs, just duplicate the below block and configure
# it accordingly.
That may work, but is bad advice. It would be better to bind all the important logic up into a callable function so that the only parts duplicated are those that need to be different.
Elleni wrote:
What I'd like to accomplish is to create an other tunnel
ssh user@hostip -L 9099:hostip:9099
Why not just set the proper destination on the port forwarding, by using -L 9099:vm_ip:9099?
Elleni wrote:
channel 2: open failed: connect failed: Connection refused
The KVM is not listening on 9099, so you cannot connect to it there. The PREROUTING chain is not checked for locally initiated traffic, which includes an ssh port forward to localhost.
Elleni wrote:
How can I fix this bold formatted port above (which changes to 44868,44870,44872,... on every access try)
Ignore that. The client port is ephemeral, and rightly so. The varying client port has no impact on your problem.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum