Re: ssh into kvm-clients

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05/30/2010 11:02 AM, brizly vaan van Ulciputz wrote:
> Hello Everyone,
>
> ich wonder why i am not able to ssh-in in this case:
>
> i have an kvm-'server' running 4 'guests'.
>
> the guests are behind nat (default in kvm?).
>
> running fresh fedora on all machine (host and guest), installed from
> live-cd, enabled sshd and made sure system-config-firewall allows
> ssh-in, i am not able to reach the guests by ssh.
>
> i can ping them, by there from kvm-server given ip, by
> openvpn-client-ip, all good.
> [brizly@s28 ~]$ ping 192.168.24.22
> PING 192.168.24.22 (192.168.24.22) 56(84) bytes of data.
> 64 bytes from 192.168.24.22: icmp_seq=1 ttl=64 time=2.50 ms
> 64 bytes from 192.168.24.22: icmp_seq=2 ttl=64 time=1.80 ms
> 64 bytes from 192.168.24.22: icmp_seq=3 ttl=64 time=2.01 ms
>
>
> but ssh - i just got:
> [brizly@s28 ~]$ ssh 192.168.24.22
> ssh: connect to host 192.168.24.22 port 22: No route to host
>
>
> i don't know were to start searching, firewall, selinux, openvpn...
>
> Other openvpn-clients - installed the same way, but 'real' machines, not
> kvm-clients - are reachable. although from kvm-client to outside-host.
>
> Any ideas?
>
>    

You will notice that qemu when running in NATed mode will set up rules 
for iptables by default.  In effect, a NATed interface accepts NO 
inbound connections, and qemu insures that with iptables rules.

There are at least two ways to allow ssh to a KVM based guest that is NATed.

One method involves the qemu automatically starting a deamon on the host 
that listens on a port you specify and redirects traffic on that port to 
a port you specify on the VM.  This requires adding an appropriate '-net 
user' rule to the  the qemu process when it runs.  Virt Manager does not 
have an interface into all of the qemu options, so you will have to edit 
the xml file by hand to add it.  And if you make a change to the guest 
using Virt manager, you could your changes.

Since qemu uses iptables to implement its NATed firewall for the KVMs, 
you can also use iptables to allow ports into guests.
The qemu rules are added dynamically, so you can't modify those 
particular rules, but you can add permanent rules that allow what you 
want, even when the qemu NAT is in place.

I think that the rule set qemu uses is called DNAT by default, so we add:

-A PREROUTING -i eth0 -p tcp -m tcp -d <IP> --dport 22 -j DNAT 
--to-destination <VMIP>

For each VM.

I realize that this is sketchy, but it would be inappropriate to show 
real IPs and destinations in a mailing list posting. :)

Hopefully, this is enough of a pointer to be of some help.

Good luck!


-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux