Port Forwarding firewalld + libvirt

pfitzgerald · June 19, 2025, 1:01pm

Hi all, I have the following setup:

Leap 15.6 host with public IP
Libvirt / KVM subnet - 10.1.1.0/24 installed on that host, on virbr0
Access to upstream router (via hosting provider)
ip forwarding is on.

We can:

ssh to the host.
ssh to the VM from the host
access the internet from both the host and VM

However we are banging our heads on port forwarding from say 0.0.0.0:32122 (host) → 22 (VM)
This is advance of forwarding various ports to different VMs.
What are we doing wrong?
(Will provide configs on request)
TIA - Patrick

arvidjaar · June 19, 2025, 1:30pm

It is impossible to answer without knowing what you are doing in the first place.

Do you want to forward connection to host from the Internet to the VM?

pfitzgerald · June 19, 2025, 1:56pm

yes. that is a test port, but we’d be using VMs to host web (80 & 443) and email as soon as we can work out what is going on. I havent posted the configs only because dont want to upload pages of irrelevant stuff.

Let me know what you need and I’ll provide. For example:

firewall-cmd --zone=public --list-forward-ports
port=32122:proto=tcp:toport=22:toaddr=10.1.1.41

My network guy says has been through everything and says it should work, but we are both new to firewalld - he is a Juniper guy, and we are migrating some customers off our Juniper-based vlan enabled cloud to something more manageable for them.

TIA - Patrick

arvidjaar · June 19, 2025, 2:08pm

Please use preformatted text when posting computer output (and input).

This rule should be enough as long as forwarding is enabled (cat /proc/sys/net/ipv4/ip_forward). libvirt installs its own rules which may additionally block traffic. Upload the full output of the following commands to the https://paste.opensuse.org/

nft list ruleset
iptables -L -n -v
iptables -L -n -v -t nat

pfitzgerald · June 19, 2025, 2:32pm

Thanks.
Yes, forwarding is enabled.

output is here openSUSE Paste
The last command generated the error that read, in part:
iptables v1.8.7 (legacy): can't initialize iptables table '-nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.
Have the latest kernel for 15.6.

arvidjaar · June 19, 2025, 3:18pm

Chain LIBVIRT_FWI (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  283 25323 ACCEPT     all  --  *      virbr0  0.0.0.0/0            10.1.1.0/24          ctstate RELATED,ESTABLISHED
   19  1100 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

This rejects any connection forwarded from the Internet to the VM network.

I am not familiar with libvirt, hopefully someone could suggest how it can be configured to open selected ports (or allow forwarding any packet).

arvidjaar · June 19, 2025, 3:30pm

And you also need firewalld policy that allows forwarding from public zone to libvirt zone. Currently it is prohibited by both libvirt and firewalld.

pfitzgerald · June 19, 2025, 3:51pm

Yes we were looking into that. Our current policy list is:

allow-host-ipv6 (active)
  priority: -15000
  target: CONTINUE
  ingress-zones: ANY
  egress-zones: HOST
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv6" icmp-type name="neighbour-advertisement" accept
	rule family="ipv6" icmp-type name="neighbour-solicitation" accept
	rule family="ipv6" icmp-type name="router-advertisement" accept
	rule family="ipv6" icmp-type name="redirect" accept

libvirt-routed-in
  priority: -1
  target: ACCEPT
  ingress-zones: ANY
  egress-zones: libvirt-routed
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

libvirt-routed-out
  priority: -1
  target: ACCEPT
  ingress-zones: libvirt-routed
  egress-zones: ANY
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

libvirt-to-host
  priority: -1
  target: REJECT
  ingress-zones: libvirt-routed
  egress-zones: HOST
  services: dhcp dhcpv6 dns ssh tftp
  ports: 
  protocols: icmp ipv6-icmp
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

As for your previous message - are you sure? it seems to me that the top rule would allow?

arvidjaar · June 19, 2025, 6:40pm

It allows packets belonging to established connections, not new connections.

pfitzgerald · June 20, 2025, 11:05am

Hmm. Well I’ve reverted everything to defaults - any advice to achieive the desired results welcome…

pfitzgerald · June 23, 2025, 8:37am

Going back to basics worked, as did a bit of essential info from serverfault.com .
The libvirt network type on the host needs to be route rather than nat (defined in the XML of the bridge), then the firewall entry is a one liner:

firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 masquerade'

Obviously repeat per port/service. And don’t forget:

firewall-cmd --permanent --zone=public --add-masquerade

… to allow for outbound.
(More at the link above.)
/p

system · June 30, 2025, 8:37am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.