port forwording using iptables on centos7

Issues related to configuring your network
Post Reply
rahalsam
Posts: 1
Joined: 2021/11/06 07:36:33

port forwording using iptables on centos7

Post by rahalsam » 2021/11/06 07:39:31

Hello
I am using Centos7 in my physical server with public address and I have guest machine running on KVM environment with private IP address 192.168.122.2 I need to install httpd in the guest machine and redirect the traffic from the public IP address to the private adress 192.168.12.2.I tried:

Code: Select all

iptables -t Nat -A PREROUTING -I em1 -p TCP --deport 80 -j DNAT --to-destination 192.168.122.2:80
where: em1 is my network interface in the physical machine, but it is not working.the forwording is actived and the command iptables -nvL return:

Code: Select all

Chain FORWARD (policy DROP 12 packets, 720 bytes) pkts bytes target prot opt in out source destination
7 420 ACCEPT tcp -- * * 0.0.0.0/0 192.168.122.2 tcp dpt:80

Chain OUTPUT (policy ACCEPT 406 packets, 59695 bytes) pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0

Regards
Top
User avatar
jlehtone
Posts: 4530
Joined: 2007/12/11 08:17:33
Location: Finland

Re: port forwording using iptables on centos7

Post by jlehtone » 2021/11/06 14:11:03

The default system in EL7 for managing firewall is firewalld.service. When it is in use, all config should go through it. Firewalld does support port forwarding.

The rules you show seem to not be from firewalld. Since you probably use iptables.service, you know what you are doing (tm)?

Red Hat has deprecated the iptables.service / ip6tables.service.

Libvirtd.service does inject some rules into netfilter when it creates virtual networks, like the "default (virbr0)". The integration of libvirtd and firewalld is so and so. (The virbr0 network is routed, with sNAT.)

The current full ruleset can be seen with:

Code: Select all

sudo iptables -S
sudo -t nat iptables -S
sudo -t mangle iptables -S
(Plain -L for iptables is not informative. The -S has, IMHO, "natural syntax", and the -vnL gives statistics.)

Note: Red Hat has backported nftables into kernel of RHEL 7.6 and provides nftables.service. Hence CentOS Linux 7 has that as an alternative for firewalld. Alas, libvirtd will use iptables as backend nevertheless. The nftables ruleset can be seen with sudo nft list ruleset.

As said, libvirtd injects rules. It can probably be configured to inject the forwarding rule when it starts the VM (and remove on VM shutdown). That way it will be in correct place relative to the other rules injected by libvirtd. I have never used those, for I bridge all my VM's.
Top
Whoever
Posts: 1361
Joined: 2013/09/06 03:12:10

Re: port forwording using iptables on centos7

Post by Whoever » 2021/11/06 17:53:38

It would be better to get a unique IP address for the guest and then configure networking using a bridge.
Top
Post Reply

Return to “CentOS 7 - Networking Support”