Estou usando o KVM no Debian wheezy. Eu quero ligar para o convidado usando ssh com o comando ssh 1.2.3.4 -p 10122 . O que eu faço é:
root@host$ iptables -t nat -A PREROUTING -p TCP --dport 10122 -j DNAT --to-destination 192.168.122.208:22
O resultado do iptables-save:
# Generated by iptables-save v1.4.14 on Sat Nov 16 01:03:28 2013
*nat
:PREROUTING ACCEPT [64:9345]
:INPUT ACCEPT [64:9345]
:OUTPUT ACCEPT [112:7287]
:POSTROUTING ACCEPT [112:7287]
-A PREROUTING -p tcp -m tcp --dport 10122 -j DNAT --to-destination 192.168.122.208:22
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sat Nov 16 01:03:28 2013
# Generated by iptables-save v1.4.14 on Sat Nov 16 01:03:28 2013
*mangle
:PREROUTING ACCEPT [16331:11525510]
:INPUT ACCEPT [16327:11525270]
:FORWARD ACCEPT [4:240]
:OUTPUT ACCEPT [15827:1491721]
:POSTROUTING ACCEPT [15827:1491721]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sat Nov 16 01:03:28 2013
# Generated by iptables-save v1.4.14 on Sat Nov 16 01:03:28 2013
*filter
:INPUT ACCEPT [7865:6008003]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7723:676522]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.208/32 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Sat Nov 16 01:03:28 2013
Mas isso não funciona:
me@dauphine:~ $ ssh [email protected] -v
OpenSSH_6.2p2 Ubuntu-6ubuntu0.1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/me/.ssh/config
debug1: /home/me/.ssh/config line 1: Applying options for *
debug1: /home/me/.ssh/config line 61: Applying options for flora.vm01
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to flora.me.net [1.2.3.4] port 10122.
debug1: connect to address 1.2.3.4 port 10122: Connection refused
ssh: connect to host flora.me.net port 10122: Connection refused
Encontrou a resposta aqui link . Mais uma regra:
iptables -I FORWARD -m state -d 10.0.0.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
A configuração NAT do KVM padrão fornece uma regra semelhante a essa, mas omite o estado NEW, que é essencial para aceitar conexões de entrada.