4

I'm setting up a new home server with borderline-paranoid security as the goal.

As such, everything with open ports that can go in a VM, gets its own VM. I'm using Ubuntu Server as the host, because I like the free reboot-less kernel-patching.

I've set up four Debian VMs, connected to the default virtual bridge interface. I'm now at the point where I can see and access the ports that should be open from the host, but when I try to access them from my network, I fail. When looking at them with nmap, they show up as "filtered".

How do I make these ports accessible from the wider network? Can I forward the ports from my physical interface to the subnetwork on the bridge, or is it better to somehow make the guests use my actual router as their gateway, instead of the one built in to KVM?

hellomatey27
  • 43
  • 1
  • 4
  • Have you ever been able to resolve this? user1686's answer does not work and it is incomplete. – Madeo Jul 17 '21 at 10:53

1 Answers1

2

or is it better to somehow make the guests use my actual router as their gateway, instead of the one built in to KVM?

There is no gateway built in to KVM (nor a "default bridge" either). Your VM host itself is the gateway – if you're using libvirt, then it just activates the Linux kernel's regular IP forwarding functionality (and creates a virbr0 for you).

This also means that your VM guests cannot access your actual LAN router directly – they're not on the same ethernet. That would be possible, but you would need to put the physical Ethernet interface (eth0) in the same bridge as your VMs.

It's up to you which method to use:

  • You can let the host be a straightforward router, by configuring your LAN to recognize the VM subnet (i.e. adding static routes with the VM host specified as gateway). Other devices will be able to connect to VMs' addresses.

  • You can let the host be a router with port-forwarding, by adding DNAT rules to iptables or nftables.

  • You can let the host be a bridge, by placing its eth0 interface in the VM bridge (ip link set eth0 master virbr0) – this will directly place all VMs in your main LAN subnet.

(But on principle I would avoid NAT/port-forwarding in the middle of a network unless absolutely necessary, e.g. if the main LAN uses a “router” that doesn't support adding static routes, or some other unusual reason.)

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • I can ping my router though, doesn't that mean that my physical interface is already on the same bridge? – hellomatey27 Sep 03 '19 at 09:29
  • No, it just means the packets are forwarded by the VM host _somehow_. (ICMP "Ping" packets run over IP so they are not limited to a single broadcast domain.) After all, you can ping websites on the other side of the world, too – and your computer certainly isn't directly bridged to e.g. Google servers. – u1686_grawity Sep 03 '19 at 09:31
  • The real test would be to see if you can resolve the router's IP address _to a MAC address_ using ARP (arping) or IPv6 NDP (ndisc6) – that's only possible within the same bridge, and it's the main thing that "using it as a gateway" performs. – u1686_grawity Sep 03 '19 at 09:33
  • Ok. So your recommendation would be to run "ip link set eth0 master virbr0", and simply let my router manage the VMs. It does seem like the simplest solution. – hellomatey27 Sep 03 '19 at 09:33
  • It's slightly more complex; the command will work but you should figure out how to automate it via libvirt or Netplan. Additionally, your current eth0 IP address will need to be moved to virbr0 as well (so don't forget to adjust that in Netplan or NetworkManager or whatever) – u1686_grawity Sep 03 '19 at 09:35
  • Ah, that would have to be in netplan. I guess that's a new question. – hellomatey27 Sep 03 '19 at 09:37
  • 4
    @user1686 this command: `ip link set eth0 master virbr0` does not work, could you post a complete solution? – Madeo Jul 17 '21 at 10:57