Ubuntu上的KVM：将端口转发给访客虚拟机

Question

我安装了kvm并使用vmbuilder在服务器上设置了多个guest虚拟机。这里是以下配置：

server host1 (xxx.xxx.xxx.xxx) -> guest vm1 (192.168.122.203) 
           -> guest vm2 (192.168.122.204) 

其中xxx.xxx.xxx.xxx为主机1的固定IP地址。

我想连接使用下列命令VM1：

ssh username@host1 -p 2222 

我试图通过添加iptables中的以下规则来做到这一点：

sudo iptables --table nat --append PREROUTING --protocol tcp --destination xxx.xxx.xxx.xxx --destination-port 2222 --jump DNAT --to-destination 192.168.122.203:22 

但是，当我我得到了超时“M运行：

ssh username@host1 -p 2222 

这里是我的iptables规则：

sudo iptables -nL -v --line-numbers -t nat 
Chain PREROUTING (policy ACCEPT 32446 packets, 3695K bytes) 
num pkts bytes target  prot opt in  out  source    destination   
1  7 420 DNAT  tcp -- *  *  0.0.0.0/0   xxx.xxx.xxx.xxx  tcp dpt:2222 to:192.168.122.203:22 

Chain INPUT (policy ACCEPT 8961 packets, 968K bytes) 
num pkts bytes target  prot opt in  out  source    destination   

Chain OUTPUT (policy ACCEPT 350 packets, 23485 bytes) 
num pkts bytes target  prot opt in  out  source    destination   

Chain POSTROUTING (policy ACCEPT 357 packets, 23905 bytes) 
num pkts bytes target  prot opt in  out  source    destination   
1  151 9060 MASQUERADE tcp -- *  *  192.168.122.0/24 !192.168.122.0/24  masq ports: 1024-65535 
2  99 7524 MASQUERADE udp -- *  *  192.168.122.0/24 !192.168.122.0/24  masq ports: 1024-65535 
3  3 252 MASQUERADE all -- *  *  192.168.122.0/24 !192.168.122.0/24 



sudo iptables -nL -v --line-numbers 
Chain INPUT (policy ACCEPT 14 packets, 1147 bytes) 
num pkts bytes target  prot opt in  out  source    destination   
1  454 30229 ACCEPT  udp -- virbr0 *  0.0.0.0/0   0.0.0.0/0   udp dpt:53 
2  0  0 ACCEPT  tcp -- virbr0 *  0.0.0.0/0   0.0.0.0/0   tcp dpt:53 
3  0  0 ACCEPT  udp -- virbr0 *  0.0.0.0/0   0.0.0.0/0   udp dpt:67 
4  0  0 ACCEPT  tcp -- virbr0 *  0.0.0.0/0   0.0.0.0/0   tcp dpt:67 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) 
num pkts bytes target  prot opt in  out  source    destination   
1  589K 2304M ACCEPT  all -- *  virbr0 0.0.0.0/0   192.168.122.0/24  state RELATED,ESTABLISHED 
2  403K 24M ACCEPT  all -- virbr0 *  192.168.122.0/24  0.0.0.0/0   
3  0  0 ACCEPT  all -- virbr0 virbr0 0.0.0.0/0   0.0.0.0/0   
4  1 60 REJECT  all -- *  virbr0 0.0.0.0/0   0.0.0.0/0   reject-with icmp-port-unreachable 
5  0  0 REJECT  all -- virbr0 *  0.0.0.0/0   0.0.0.0/0   reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT 4 packets, 480 bytes) 
num pkts bytes target  prot opt in  out  source    destination 

任何建议将不胜感激。

Answer 1

行，我发现了答案：

我加入那些2个规则到NAT表：

$sudo iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 192.168.122.203:22 
$sudo iptables -t nat -A POSTROUTING -p tcp --dport 22 -d 192.168.122.203 -j SNAT --to 192.168.122.1 

然后我删除的链FORWARD的规则4等5表滤波器的

$sudo iptables -nL -v --line-numbers -t filter 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) 
(...)   
4  7 420 REJECT  all -- *  virbr0 0.0.0.0/0   0.0.0.0/0   reject-with icmp-port-unreachable 
5  0  0 REJECT  all -- virbr0 *  0.0.0.0/0   0.0.0.0/0   reject-with icmp-port-unreachable 

$sudo iptables -D FORWARD 5 -t filter 
$sudo iptables -D FORWARD 4 -t filter 

现在我连接到VM1做：

$ssh user1@host -p 2222 
user1@vm1:~$