I'm trying to set up iptables instead of ufw on Debian 10, i basically need to forward 5 external ports to a kvm/qemu instance (22, 80, 443, 8448, 3478), host occupies 192.168.1.170 on the local network, guest connects via virbr0 (virtio) adapter, it's IP is 192.168.122.182 (with gateway 192.168.122.1).
Here is the default firewall setup for the host:
Code: Select all
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows Federation port for Synapse.
-A INPUT -p tcp --dport 8448 -j ACCEPT
# Allows coturn service.
-A INPUT -p tcp --dport 3478 -j ACCEPT
# Allows SSH connections
# The --dport number is the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Now you should read up on iptables rules and consider whether ssh access
# for everyone is really desired. Most likely you will only allow access from certain IPs.
# Allow ping
# note that blocking other types of icmp packets is considered a bad idea by some
# remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
# https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# enable logging generally
#-A INPUT -j LOG
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
Here is the guide for just forwarding port 22 to a kvm instance just using 'hooks' on the hostOS: https://wiki.libvirt.org/page/Networkin ... onnections
I've modified it like so, i'm also curious if this looks alright:
Code: Select all
#!/bin/bash
# IMPORTANT: Change the "VM NAME" string to match your actual VM Name.
# In order to create rules to other VMs, just duplicate the below block and configure
# it accordingly.
if [ "${1}" = "kvm1-website.org" ]; then
# Update the following variables to fit your setup
GUEST_IP=192.168.122.182
GUEST_PORT1=22
HOST_PORT1=22
GUEST_PORT2=80
HOST_PORT2=80
GUEST_PORT3=443
HOST_PORT3=443
GUEST_PORT4=8448
HOST_PORT4=8448
GUEST_PORT5=3478
HOST_PORT5=3478
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -D FORWARD -o virbr0 -d $GUEST_IP -j ACCEPT
/sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT1 -j DNAT --to $GUEST_IP:$GUEST_PORT1
/sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2
/sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT3 -j DNAT --to $GUEST_IP:$GUEST_PORT3
/sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT4 -j DNAT --to $GUEST_IP:$GUEST_PORT4
/sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT5 -j DNAT --to $GUEST_IP:$GUEST_PORT5
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -I FORWARD -o virbr0 -d $GUEST_IP -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT1 -j DNAT --to $GUEST_IP:$GUEST_PORT1
/sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2
/sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT3 -j DNAT --to $GUEST_IP:$GUEST_PORT3
/sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT4 -j DNAT --to $GUEST_IP:$GUEST_PORT4
/sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT5 -j DNAT --to $GUEST_IP:$GUEST_PORT5
fi
fi
Edit: macvtap with passthrough > virtio and a VLAN, at least for this humble application (home server)