Hi - I am trying to find the best set of rules to use 'tun' networking with qemu-system-$CPU - ie. I am using :
$ qemu-system-$CPU ... -net tun -net nic And I have an /etc/qemu-ifup script installed (attached), which I found online, and modified only the '# Network Information:' section of. I use the iptables set up, where $IP_EXT is the EXTERNAL IP address configured on the 'eth0' interface by HOST DHCP, and I have configured the GUEST nic IP manually (statically) to be 192.168.64.2/24 : $ iptables -t nat -A PREROUTING -i eth0 -d $IP_EXT -j DNAT --to-destination 192.168.64.2 $ iptables -t nat -A POSTROUTING -o eth0 -s 192.168.64.2 -j SNAT --to-source $IP_EXT $ iptables -I FORWARD -m state -d 192.168.64.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT $ echo 1 > /proc/sys/net/ipv4/ip_forward My problem here is that I then lose the ability to access ports on the HOST's $IP_EXT from the external internet (all incoming packets are diverted to the guest) and I am asking for advice as to precisely why ; ie. I know what happens, the rules forward incoming SSH requests to the guest, which might not be listening or running eg. sshd, but I thought this should not happen, because I thought: iptables -I FORWARD -m state -d 192.168.64.0/24 \ --state NEW,RELATED,ESTABLISHED -j ACCEPT would only make replies to sockets which originate on the guest be translated into requests to the guest address; but what is happening is that unsolicited incoming requests which bear no relation to an existing guest socket get translated into requests to the guest - this is not what I want - I just want the guest to be able to make OUTGOING requests to eg. named (port 63) and HTTP (port 80), and have INCOMING REPLIES (only) to those requests translated into guest address packets. Please can anyone advise how to achieve this ? I'd like to be able to just use the tunnel interface, which is created OK, and NAT rules, like those above, to transfer packets from guest to outside world so that it gets replies, but still have all incoming requests that are not responses to guest packets not be redirected to guest. I can run guests on my Cloud hosts which have internet access, but then I don't want to lose SSH access to them :-) Any advice gratefully received, Thanks & Best regards, Jason Vas Dias Here is the /etc/qemu-ifup file:
qemu-ifup
Description: /etc/qemu-ifup