Ask Your Question
2

Adding port forwarding rule between host and VMs

asked 2013-05-29 01:51:57 -0600

sph gravatar image

updated 2013-05-29 17:46:57 -0600

smaffulli gravatar image

Hi everyone,

I have an openstack setup and a RHEL VM running on it. The docs were really useful in guiding through the setup. I want to run a service on port 8000 of the VM and want that port to be forwarded from the host to the guest. For example, if a request comes on say - port 8111 on the host, then forward it to port 80 of VM1. If request comes on port 8112 on the host, then forward it to port 8080 of VM2 and so on.

Normally, I'd add a PREROUTING rule in the nat table to accomplish this. But I saw that iptables is already having some openstack specific rules and chains.

I wanted to know that for port forwarding - which is the right way to add an iptables rule - does it have to be done via some command line util or should I use an existing api to add a rule?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2013-06-03 05:07:14 -0600

sph gravatar image

updated 2013-06-03 05:32:00 -0600

I am still searching for a way to do this. A quick hack for doing this manually and not loosing your configuration on nova-network restart can be achieved by the following. I wouldn't recommend doing this in production environments though:

Infra: openstack folsom host - host1 + 1 vm running (instance - vm_inst1) for the image - linux_1

Requirement: For any traffic coming on port 1234 of host1 forward it to port 8000 of vm_inst1

Steps:

  1. Create a security rule which opens up port 8000 for vm_inst1

    nova secgroup-create secgroup1 'test security group' nova secgroup-add-rule secgroup1 tcp 8000 8000 0.0.0.0/0 nova boot --flavor 1 --image linux_1 --security_groups secgroup1 vm_inst1

  2. Once the VM get's the IP - flush out it's internal iptables rules to remove any confusion. Hence, inside vm_inst1:

    iptables -F

    python -m SimpleHTTPServer

  3. In nova.network.linux_net.py locate the function - metadata_forward

  4. Add the following snippet to it:

    iptables_manager.ipv4['nat'].add_rule('PREROUTING',
                                          '-s 0.0.0.0/0 -d %s/32 '
                                          '-p tcp -m tcp --dport %s -j DNAT '
                                          '--to-destination %s:%s' %
                                          (FLAGS.metadata_host,
                                           '1234',
                                           '<vm_isnt1_ip>',
                                           '8000'))
      
  5. restart nova-network

  6. This adds a nova-network-PREROUTING rule which does the requisite forwarding.

  7. Test it by going to a different host other than host1 and doing:

    telnet host1_ip 1234 this

  8. You should see "this" appearing on the python session in the VM.

But I am looking for a cleaner way to do this. Is there a plugin based approach for this - or is there a way to execute arbitary hook programs upon events like VM startup, shutdown.

I did find references to https://wiki.openstack.org/wiki/Novaplugin - just want to know that - is that the right way to go for it? If any of the stackers have used it - is there any reference code that can be looked at. There is a filesystem code available on the novaplugin page - but I am looking for a simpler example.

Hope this insight helps anyone else looking to do port forwarding.

UPDATE: From what I read on https://www.redhat.com/archives/rhos-list/2012-November/msg00022.html - there isn't a way to hook in your code but you can subscribe for notifications upon VM events.

edit flag offensive delete link more
2

answered 2013-05-29 03:50:38 -0600

rakrup gravatar image

You should look for adding the security group rules for this. Security group rules addition internally will add the iptables entry for you. You might want to look at this wiki page for more reference -> http://docs.openstack.org/trunk/openstack-network/admin/content/securitygroups.html

edit flag offensive delete link more

Comments

That would be good to have for filtering. But I am looking at a way to do port forwarding where in if request comes on say - port 8111 on the host, then forward it to port 80 of VM1. If request comes on port 8112 on the host, then forward it to port 8080 of VM2 and so on.

sph gravatar imagesph ( 2013-05-29 04:37:17 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-05-29 01:51:57 -0600

Seen: 4,744 times

Last updated: Jun 03 '13