روش اول با استفاده از hooks
nano /etc/libvirt/hooks/qemu
کد زیر را اضافه می کنیم:
#!/bin/bash
echo "Could not find required XYZZY"
Guest_name="debian_server"
Host_port=80
Guest_ipaddr=192.168.122.3
Guest_ports=( 80, 110, 25, 587, 995, 993)//آی پی های مورد نظر اینجا اضافه میشود
if [ $1 = $Guest_name ]
then
if [[ $2 = "stopped" || $2 = "reconnect" ]]
then
for guest_port in "${Guest_ports[@]}"
do
iptables -t nat -D PREROUTING -p tcp --dport $Host_port -j DNAT \
--to $Guest_ipaddr:$guest_port
iptables -D FORWARD -d $Guest_ipaddr/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED \
-m tcp --dport $guest_port -j ACCEPT
#- allows port forwarding from localhost but
iptables -t nat -D OUTPUT -p tcp -o lo --dport $Host_port -j DNAT \
--to $Guest_ipaddr:$guest_port
done
fi
if [[ $2 = "start" || $2 = "reconnect" ]]
then
for guest_port in "${Guest_ports[@]}"
do
iptables -t nat -I PREROUTING -p tcp --dport $Host_port -j DNAT \
--to $Guest_ipaddr:$guest_port
iptables -I FORWARD -d $Guest_ipaddr/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED \
-m tcp --dport $guest_port -j ACCEPT
#- allows port forwarding from localhost but
iptables -t nat -I OUTPUT -p tcp -o lo --dport $Host_port -j DNAT \
--to $Guest_ipaddr:$guest_port
done
fi
fi
روش دوم
با استفاده از iptables
#guest ip : 192.168.122.3
#host_ip : 1.2.3.4
# Generated by iptables-save v1.4.7 on Mon Nov 5 03:31:27 2007
*nat
:PREROUTING ACCEPT [4:474]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.3:80
COMMIT
# Completed on Mon Nov 5 03:31:27 2007
# Generated by iptables-save v1.4.7 on Mon Nov 5 03:31:27 2007
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:916]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.122.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Nov 5 03:31:27 2007
روش سوم
استفاده از تنظیمات خود libvit
نمونه کد اول:
After reading a dozen or so of articles explaining how to configure iptables for allowing external access through SSH to a KVM guest, it turns out that you can enable such redirection by editing the domain XML[1]: virsh edit my-domain-name
Modifiy the first line to use the XML namespace for the QEMU command line elements: <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
Then add the port redirection:<qemu:commandline>
<qemu:arg value="-redir"/>
<qemu:arg value="tcp:2222::22"/>
</qemu:commandline>
Finally, restart the domain. It worked like a charm.
نمونه کد دوم :
به جای مقادیر
guest_name=نام vm
guest_ipaddr= آی پی vm
host_port= پرت ها که می خواهید فروارد شوند به ترتیب
guest_port = پرت هایی که می خواهند فروارد شوند به ترتیب در مقابل لیست بالا
#!/bin/sh
# used some from advanced script to have multiple ports: use an equal number of guest and host ports
Guest_name=GNAME
Guest_ipaddr=IP
Host_port=( 'HP1' 'HP2' )
Guest_port=( 'GP1' 'GP2' )
length=$(( ${#Host_port[@]} - 1 ))
if [ "${1}" = "${Guest_name}" ]; then
if [ "${2}" = "stopped" -o "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
iptables -t nat -D PREROUTING -p tcp --dport ${Host_port[$i]} -j DNAT \
--to ${Guest_ipaddr}:${Guest_port[$i]}
iptables -D FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW \
-m tcp --dport ${Guest_port[$i]} -j ACCEPT
done
fi
if [ "${2}" = "start" -o "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
iptables -t nat -A PREROUTING -p tcp --dport ${Host_port[$i]} -j DNAT \
--to ${Guest_ipaddr}:${Guest_port[$i]}
iptables -I FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW \
-m tcp --dport ${Guest_port[$i]} -j ACCEPT
done
fi
fi
Uploading ....