Here’s an outline of the goal of my setup:
Guest VM 0(in NAT): 192.168.101.100:80 --> Host: 192.168.86.73:8080
Guest VM 1(in NAT): 192.168.101.85:8096 --> Host: 192.168.86.73:8081
Guest 1&0: 192.168.101.100:22 --> Host: 192.168.86.73:2222
I want to forward jellyfin from a vm to a host. Unfortunately, jellyfin doesn’t let me do that. Everything is alma linux.
When going to 192.168.86.73:808(0,1) in a browser, I receive unable to connect, and when I wget it, I get Connecting to 192.168.86.73:8080... failed: No route to host.
However, I can ssh into the vms from ports 2222 and 2223. This is different from my last issue where I couldn’t access any ports at all, ssh or web.
I set up a hook in /etc/libvirt/hooks/qemu according to this guide, which works for ssh but doesn’t work for Jellyfin. I know jellyfin is working, because from my host machine I can run wget 192.168.101.100 and it returns the jellyfin home. I also know nginx isn’t the issue for the same reason.
Here is my specific hook file:
#!/bin/bash
if [ "${1}" = "Jellyfin" ]; then
# Update the following variables to fit your setup
# Remember to change virbr0 to virbr1 if needed.
GUEST_IP=192.168.101.100
GUEST_PORT=22
HOST_PORT=2222
GUEST_PORT2=8096
HOST_PORT2=8081
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -D FORWARD -o virbr1 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT
/sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
/sbin/iptables -D FORWARD -o virbr1 -p tcp -d $GUEST_IP --dport $GUEST_PORT2 -j ACCEPT
/sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -I FORWARD -o virbr1 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
/sbin/iptables -I FORWARD -o virbr1 -p tcp -d $GUEST_IP --dport $GUEST_PORT2 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2
fi
elif [ "${1}" = "Nginx" ]; then
# Update the following variables to fit your setup
# Remember to change virbr0 to virbr1 if needed.
GUEST_IP=192.168.101.85
GUEST_PORT=22
HOST_PORT=2223
GUEST_PORT2=80
HOST_PORT2=8081
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -D FORWARD -o virbr1 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT
/sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
/sbin/iptables -D FORWARD -o virbr1 -p tcp -d $GUEST_IP --dport $GUEST_PORT2 -j ACCEPT
/sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -I FORWARD -o virbr1 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
/sbin/iptables -I FORWARD -o virbr1 -p tcp -d $GUEST_IP --dport $GUEST_PORT2 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2
fi
fi
Here is the result of iptables -nvL:
Chain INPUT (policy ACCEPT 82683 packets, 6162K bytes)
pkts bytes target prot opt in out source destination
82710 6165K LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
16 960 ACCEPT tcp -- * virbr1 0.0.0.0/0 192.168.101.100 tcp dpt:8096
153 13152 ACCEPT tcp -- * virbr1 0.0.0.0/0 192.168.101.100 tcp dpt:22
569 219K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
569 219K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
44 32161 ACCEPT all -- * br-8ac694360d19 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * br-8ac694360d19 0.0.0.0/0 0.0.0.0/0
45 4419 ACCEPT all -- br-8ac694360d19 !br-8ac694360d19 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-8ac694360d19 br-8ac694360d19 0.0.0.0/0 0.0.0.0/0
480 183K LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0
480 183K LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0
301 28065 LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 100K packets, 12M bytes)
pkts bytes target prot opt in out source destination
100K 12M LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-8ac694360d19 br-8ac694360d19 0.0.0.0/0 172.18.0.5 tcp dpt:2283
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
45 4419 DOCKER-ISOLATION-STAGE-2 all -- br-8ac694360d19 !br-8ac694360d19 0.0.0.0/0 0.0.0.0/0
569 219K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-8ac694360d19 0.0.0.0/0 0.0.0.0/0
45 4419 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
569 219K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_FWI (1 references)
pkts bytes target prot opt in out source destination
179 154K ACCEPT all -- * virbr1 0.0.0.0/0 192.168.101.0/24 ctstate RELATED,ESTABLISHED
0 0 REJECT all -- * virbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWO (1 references)
pkts bytes target prot opt in out source destination
301 28065 ACCEPT all -- virbr1 * 192.168.101.0/24 0.0.0.0/0
0 0 REJECT all -- virbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- virbr1 virbr1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_INP (1 references)
pkts bytes target prot opt in out source destination
24 2082 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 966 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain LIBVIRT_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr1 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * virbr1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 987 ACCEPT udp -- * virbr1 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * virbr1 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
and iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N LIBVIRT_FWI
-N LIBVIRT_FWO
-N LIBVIRT_FWX
-N LIBVIRT_INP
-N LIBVIRT_OUT
-A INPUT -j LIBVIRT_INP
-A FORWARD -d 192.168.101.100/32 -o virbr1 -p tcp -m tcp --dport 8096 -j ACCEPT
-A FORWARD -d 192.168.101.100/32 -o virbr1 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-8ac694360d19 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-8ac694360d19 -j DOCKER
-A FORWARD -i br-8ac694360d19 ! -o br-8ac694360d19 -j ACCEPT
-A FORWARD -i br-8ac694360d19 -o br-8ac694360d19 -j ACCEPT
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A DOCKER -d 172.18.0.5/32 ! -i br-8ac694360d19 -o br-8ac694360d19 -p tcp -m tcp --dport 2283 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-8ac694360d19 ! -o br-8ac694360d19 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-8ac694360d19 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A LIBVIRT_FWI -d 192.168.101.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.101.0/24 -i virbr1 -j ACCEPT
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
Keep in mind I have docker running so some rules may not be relevant.
sysctl net.ipv4.ip_forward returns net.ipv4.ip_forward = 1
I’ve set the firewall backend of libvirt to iptables in /etc/libvirt/network.conf:
firewall_backend = "iptables"
Trying to solve this issue originally, I switched from Rocky to Fedora, but on my rocky and alma install this worked fine both times.
Thank you so much for the continued support with my issues!
This is nearly impossible to decipher, but your problem is in the networking. You have two VMs with the same IPs, so fix that. You say “NAT”, but I assume you’re meaning a bridged network maybe? If you actually mean a NAT’d network, you’re going above and beyond to really make this more difficult. I’d switch to something a bit more accessible.
Sorry! The ip was wrong, the nginx vm is 192.168.101.85. edited
Well then your forwarding hook is broken and won’t work for the second VM.
Just switch the networking type and make it easier on yourself. It seems you’re following a guide or tutorial, and you’re not familiar with what it’s asking you to do.
Why are you even running these as VMs to begin with? I don’t see that mentioned.
Well then your forwarding hook is broken and won’t work for the second VM.
Because of the lack of clarity, I assume you meant something was wrong with the elif statement, so I ditched that.
/sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2 fi fi if [ "${1}" = "Nginx" ]; thenMy goal is to isolate Jellyfin and nginx from my seeing network. I’m not following any guide that wasn’t linked in the post.
I want the VM so my system is more modular and secure.
Have you considered macvtap? if you can work around the limitation of not accessing the guest directly from the host it will likely be an easier choice for setting up access to your jellyfinserver.
You did explain what they are trying to do but didn’t explain why, which could help with suggestions on how to achieve what you are looking for in your setup.
macvtap
This looks like some type of bridge mode, which I don’t want. I want the vm to be isolated except for the jellyfin ports that are forwarded. I think nat mode and forwarding is the best if not only way to achieve this.