Access VM from LAN

Question

On a Linux laptop, I want to give access to locally hosted VM (kvm) from LAN.

I'd like to do DNAT to VM.

Network

client  <-- LAN 192.168.3.0/24 --> host <-- bridge 192.168.113.0/24 --> guest

Host

wlp3s0: 192.168.3.221/24
br0: 192.168.113.1/24
net.ipv4.ip_forward = 1
Bridge:

# bridge -d link
16: vnet5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 100 
    hairpin off guard off root_block off fastleave off learning on flood on mcast_flood on bcast_flood on mcast_router 1 mcast_to_unicast off neigh_suppress off vlan_tunnel off isolated off locked off

Routing:

default via 192.168.3.1 dev wlp3s0 proto dhcp src 192.168.3.221 metric 600 
192.168.3.0/24 dev wlp3s0 proto kernel scope link src 192.168.3.221 metric 600 
192.168.113.0/24 dev br0

Netfilter rule extract:

table inet filter {
  chain forward {
    type filter hook forward priority 0; policy drop;
    ct state established,related counter accept
    ct state invalid counter drop
    tcp dport 8080 counter log prefix "forward: " accept
  }
}

table ip nat {
  chain prerouting {
    type nat hook prerouting priority dstnat
    tcp dport 8080 counter log prefix "dnat: " dnat to 193.168.113.201:8080
  }
  chain postrouting {
    type nat hook postrouting priority srcnat
    iifname br0 oifname wlp3s0 counter masquerade
  }
}

Guest

enp1s0: 192.168.113.201/24
Routes:

default via 192.168.113.1 dev enp1s0 proto dhcp src 192.168.113.201 metric 100 
192.168.113.0/24 dev enp1s0 proto kernel scope link src 192.168.113.201 metric 100

No firewall
Service listening on 0.0.0.0:8080

Client

address: 192.168.3.2

Tests OK

Ping from host to guest (ping -c 1 192.168.113.201)
Curl from host to guest service (curl -q http://192.168.113.201:8080)
Access to internet from guest (curl -q https://serverfault.com)

Issue

Calling service from another client on LAN (curl -q http://192.168.3.221:8080) does not reach the guest.

Tcpdump on wlp3s0 interface of the host:

11:10:54.063354 IP 192.168.3.2.43278 > 192.168.3.221.8080: Flags [S], seq 2985774913, win 64240, options [mss 1460,sackOK,TS val 525180874 ecr 0,nop,wscale 7], length 0
11:10:54.063388 IP 192.168.3.2.43278 > 193.168.113.201.8080: Flags [S], seq 2985774913, win 64240, options [mss 1460,sackOK,TS val 525180874 ecr 0,nop,wscale 7], length 0

(I see "forward" and "dnat" lines in syslog when forwarding and filtering are triggered.)

I see no packet on br0 interface of the host.

Please note the second line of tcpdump. Destination is rewritten, but on the wlp3s0 interface!

I also tested with wired Ethernet instead of Wifi: exactly same behavior.

Why the packet is not routed to bridge through br0?

Any hint appreciated!

I am not familiar with 'netfilter' , I guest in the rule 'tcp dport 8080 xxx dnat yyy' we may limit the 1st '8080' on 'enp1s0 or 192.168.3.221' ? And we also have some alternatives like 'nohup socat TCP-LISTEN:8080,bind=192.168.3.221,reuseaddr,fork tcp:192.168.113.201:8080 &' :) — grizzlybears, Mar 20 '23 at 02:11
socat would be hard to maintain and scale, but I will try. It may help to troubleshoot! I don't understand the limit you suggest. — Benoit, Mar 20 '23 at 08:19
I did not test socat but `ssh -L :8080:192.168.113.201:8080 [email protected]`, which is functional workaround. — Benoit, Mar 20 '23 at 18:12
If you want to access the VM from the LAN is there any reason why you don't simply bridge it? No routing required. No firewall masquerade/DNAT/SNAT required. It just works — roaima, Mar 20 '23 at 20:09
You cannot simply bridge a wireless interface. See [here](https://unix.stackexchange.com/questions/444960/why-cant-we-easily-bridge-over-a-wireless-nic) or [here](https://unix.stackexchange.com/questions/448548/transparent-bridge-from-existing-wifi-to-ethernet). It's possible if client and AP enables "4-address" mode (not tested). Another option is to translate layer-2 addresses (ebtables or nft bridge table). I found it simpler to configure layer-3 NAT. — Benoit, Mar 20 '23 at 20:32
Is this wireless? Even re-reading the question this isn't particularly obvious — roaima, Mar 20 '23 at 22:41
wlp3s0 is a wireless NIC. en = ethernet, wl = wlan. https://cgit.freedesktop.org/systemd/systemd/tree/src/udev/udev-builtin-net_id.c — Benoit, Mar 21 '23 at 11:02

score 0 · Accepted Answer · answered Mar 20 '23 at 18:09

0

There is a typo in the prerouting rule. dnat to 193.168.113.201:8080 instead of dnat to 192.168.113.201:8080.

answered Mar 20 '23 at 18:09

Benoit

51
3