Unable to port forward over virtual bridge to tap interface

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite
2












I installed libvirt out of the box on Ubuntu 16.04, it creates a virbr0 virtual bridge, at 192.168.122.0/24, a dnsmasq instance to serve that range and sets up basic NAT masquerading.



I created a tap interface beneath that for my virtualization software to use. The software itself is able to access the internet and remainder of the network perfectly, so masquerading is working properly. I can also access the virtualization software ssh port from the host, using the IP address claimed by that software. So I think the routing tables "out of the box" are generally correct.



What I want to do is port forward an inbound ssh connection from outside to this software, and the host system in general. Now the host system of course has ssh, and I need that to work. So I'm trying to use another port, such as port 2022.



I've created a DNAT rule in iptables to direct inbound traffic on port 2022 to the IP address of the software at port 22. I get destination unreachable when I attempt to ssh in from the outside (ex. computer A below). It looks like the address translation is happening properly, but immediately after traversing to the "FORWARD" step in iptables, I start getting outbound unreachable ICMP packets.



I'm stumped on how to proceed. I've tried some SNAT rules, but I either botched it or that's not the problem. Does anyone have ideas on this?



UPDATE:
Wireshark on tap0 does not show having received the forwarded packet. Whatever is returning the packet is not related to the virtualization software.



Here's a picture of my network:



 ----------
| Internet |
----------
|
|
--------
| Router | 10.211.255.1
--------
|
|
____________|_______________
| |
---------- ---------
| | | enp0s5 | 10.211.255.4
| Computer | 10.211.255.2 | Host | 192.168.122.1
| A | | virbr0 |
---------- ---------
|
| LAN NAT 192.168.122.0/24
|
----------
| tap0 |
| Guest OS | 192.168.122.118
| |
----------


Here are my IP tables rules:



Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix "INTRACE: "
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix "FORTRACE: "
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix "OUTTRACE: "
ACCEPT udp -- anywhere anywhere udp dpt:bootpc

NAT tables:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp dpt:2022 LOG level debug prefix "NATPTRACE: "
DNAT tcp -- anywhere anywhere tcp dpt:2022 to:192.168.122.118:22

Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix "NATITRACE: "

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix "NATOTRACE: "

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix "NATQTRACE: "
SNAT tcp -- anywhere anywhere tcp spt:ssh to::2022
RETURN all -- 192.168.122.0/24 base-address.mcast.net/24
RETURN all -- 192.168.122.0/24 broadcasthost.localdomain
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24


Finally this is an example of what I see in syslog with the above rules:



Oct 20 09:49:15 ubuntu kernel: [85149.812291] RAWPTRACE: IN=enp0s5 OUT= MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=10.211.55.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=40132 DF PROTO=TCP SPT=53245 DPT=2022 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 20 09:49:15 ubuntu kernel: [85149.812318] MGPTRACE: IN=enp0s5 OUT= MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=10.211.55.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=40132 DF PROTO=TCP SPT=53245 DPT=2022 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 20 09:49:15 ubuntu kernel: [85149.812326] NATPTRACE: IN=enp0s5 OUT= MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=10.211.55.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=40132 DF PROTO=TCP SPT=53245 DPT=2022 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 20 09:49:15 ubuntu kernel: [85149.812336] MGFTRACE: IN=enp0s5 OUT=virbr0 MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 20 09:49:15 ubuntu kernel: [85149.812340] FORTRACE: IN=enp0s5 OUT=virbr0 MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 20 09:49:15 ubuntu kernel: [85149.812354] RAWOTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]
Oct 20 09:49:15 ubuntu kernel: [85149.812357] MGOTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]
Oct 20 09:49:15 ubuntu kernel: [85149.812361] OUTTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]
Oct 20 09:49:15 ubuntu kernel: [85149.812364] MGQTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]






share|improve this question


























    up vote
    2
    down vote

    favorite
    2












    I installed libvirt out of the box on Ubuntu 16.04, it creates a virbr0 virtual bridge, at 192.168.122.0/24, a dnsmasq instance to serve that range and sets up basic NAT masquerading.



    I created a tap interface beneath that for my virtualization software to use. The software itself is able to access the internet and remainder of the network perfectly, so masquerading is working properly. I can also access the virtualization software ssh port from the host, using the IP address claimed by that software. So I think the routing tables "out of the box" are generally correct.



    What I want to do is port forward an inbound ssh connection from outside to this software, and the host system in general. Now the host system of course has ssh, and I need that to work. So I'm trying to use another port, such as port 2022.



    I've created a DNAT rule in iptables to direct inbound traffic on port 2022 to the IP address of the software at port 22. I get destination unreachable when I attempt to ssh in from the outside (ex. computer A below). It looks like the address translation is happening properly, but immediately after traversing to the "FORWARD" step in iptables, I start getting outbound unreachable ICMP packets.



    I'm stumped on how to proceed. I've tried some SNAT rules, but I either botched it or that's not the problem. Does anyone have ideas on this?



    UPDATE:
    Wireshark on tap0 does not show having received the forwarded packet. Whatever is returning the packet is not related to the virtualization software.



    Here's a picture of my network:



     ----------
    | Internet |
    ----------
    |
    |
    --------
    | Router | 10.211.255.1
    --------
    |
    |
    ____________|_______________
    | |
    ---------- ---------
    | | | enp0s5 | 10.211.255.4
    | Computer | 10.211.255.2 | Host | 192.168.122.1
    | A | | virbr0 |
    ---------- ---------
    |
    | LAN NAT 192.168.122.0/24
    |
    ----------
    | tap0 |
    | Guest OS | 192.168.122.118
    | |
    ----------


    Here are my IP tables rules:



    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level debug prefix "INTRACE: "
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT tcp -- anywhere anywhere tcp dpt:domain
    ACCEPT udp -- anywhere anywhere udp dpt:bootps
    ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level debug prefix "FORTRACE: "
    ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
    ACCEPT all -- 192.168.122.0/24 anywhere
    ACCEPT all -- anywhere anywhere
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level debug prefix "OUTTRACE: "
    ACCEPT udp -- anywhere anywhere udp dpt:bootpc

    NAT tables:
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    LOG tcp -- anywhere anywhere tcp dpt:2022 LOG level debug prefix "NATPTRACE: "
    DNAT tcp -- anywhere anywhere tcp dpt:2022 to:192.168.122.118:22

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level debug prefix "NATITRACE: "

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level debug prefix "NATOTRACE: "

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level debug prefix "NATQTRACE: "
    SNAT tcp -- anywhere anywhere tcp spt:ssh to::2022
    RETURN all -- 192.168.122.0/24 base-address.mcast.net/24
    RETURN all -- 192.168.122.0/24 broadcasthost.localdomain
    MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
    MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
    MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24


    Finally this is an example of what I see in syslog with the above rules:



    Oct 20 09:49:15 ubuntu kernel: [85149.812291] RAWPTRACE: IN=enp0s5 OUT= MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=10.211.55.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=40132 DF PROTO=TCP SPT=53245 DPT=2022 WINDOW=65535 RES=0x00 SYN URGP=0
    Oct 20 09:49:15 ubuntu kernel: [85149.812318] MGPTRACE: IN=enp0s5 OUT= MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=10.211.55.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=40132 DF PROTO=TCP SPT=53245 DPT=2022 WINDOW=65535 RES=0x00 SYN URGP=0
    Oct 20 09:49:15 ubuntu kernel: [85149.812326] NATPTRACE: IN=enp0s5 OUT= MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=10.211.55.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=40132 DF PROTO=TCP SPT=53245 DPT=2022 WINDOW=65535 RES=0x00 SYN URGP=0
    Oct 20 09:49:15 ubuntu kernel: [85149.812336] MGFTRACE: IN=enp0s5 OUT=virbr0 MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
    Oct 20 09:49:15 ubuntu kernel: [85149.812340] FORTRACE: IN=enp0s5 OUT=virbr0 MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
    Oct 20 09:49:15 ubuntu kernel: [85149.812354] RAWOTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]
    Oct 20 09:49:15 ubuntu kernel: [85149.812357] MGOTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]
    Oct 20 09:49:15 ubuntu kernel: [85149.812361] OUTTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]
    Oct 20 09:49:15 ubuntu kernel: [85149.812364] MGQTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]






    share|improve this question
























      up vote
      2
      down vote

      favorite
      2









      up vote
      2
      down vote

      favorite
      2






      2





      I installed libvirt out of the box on Ubuntu 16.04, it creates a virbr0 virtual bridge, at 192.168.122.0/24, a dnsmasq instance to serve that range and sets up basic NAT masquerading.



      I created a tap interface beneath that for my virtualization software to use. The software itself is able to access the internet and remainder of the network perfectly, so masquerading is working properly. I can also access the virtualization software ssh port from the host, using the IP address claimed by that software. So I think the routing tables "out of the box" are generally correct.



      What I want to do is port forward an inbound ssh connection from outside to this software, and the host system in general. Now the host system of course has ssh, and I need that to work. So I'm trying to use another port, such as port 2022.



      I've created a DNAT rule in iptables to direct inbound traffic on port 2022 to the IP address of the software at port 22. I get destination unreachable when I attempt to ssh in from the outside (ex. computer A below). It looks like the address translation is happening properly, but immediately after traversing to the "FORWARD" step in iptables, I start getting outbound unreachable ICMP packets.



      I'm stumped on how to proceed. I've tried some SNAT rules, but I either botched it or that's not the problem. Does anyone have ideas on this?



      UPDATE:
      Wireshark on tap0 does not show having received the forwarded packet. Whatever is returning the packet is not related to the virtualization software.



      Here's a picture of my network:



       ----------
      | Internet |
      ----------
      |
      |
      --------
      | Router | 10.211.255.1
      --------
      |
      |
      ____________|_______________
      | |
      ---------- ---------
      | | | enp0s5 | 10.211.255.4
      | Computer | 10.211.255.2 | Host | 192.168.122.1
      | A | | virbr0 |
      ---------- ---------
      |
      | LAN NAT 192.168.122.0/24
      |
      ----------
      | tap0 |
      | Guest OS | 192.168.122.118
      | |
      ----------


      Here are my IP tables rules:



      Chain INPUT (policy ACCEPT)
      target prot opt source destination
      LOG all -- anywhere anywhere LOG level debug prefix "INTRACE: "
      ACCEPT udp -- anywhere anywhere udp dpt:domain
      ACCEPT tcp -- anywhere anywhere tcp dpt:domain
      ACCEPT udp -- anywhere anywhere udp dpt:bootps
      ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

      Chain FORWARD (policy ACCEPT)
      target prot opt source destination
      LOG all -- anywhere anywhere LOG level debug prefix "FORTRACE: "
      ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
      ACCEPT all -- 192.168.122.0/24 anywhere
      ACCEPT all -- anywhere anywhere
      REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
      REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination
      LOG all -- anywhere anywhere LOG level debug prefix "OUTTRACE: "
      ACCEPT udp -- anywhere anywhere udp dpt:bootpc

      NAT tables:
      Chain PREROUTING (policy ACCEPT)
      target prot opt source destination
      LOG tcp -- anywhere anywhere tcp dpt:2022 LOG level debug prefix "NATPTRACE: "
      DNAT tcp -- anywhere anywhere tcp dpt:2022 to:192.168.122.118:22

      Chain INPUT (policy ACCEPT)
      target prot opt source destination
      LOG all -- anywhere anywhere LOG level debug prefix "NATITRACE: "

      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination
      LOG all -- anywhere anywhere LOG level debug prefix "NATOTRACE: "

      Chain POSTROUTING (policy ACCEPT)
      target prot opt source destination
      LOG all -- anywhere anywhere LOG level debug prefix "NATQTRACE: "
      SNAT tcp -- anywhere anywhere tcp spt:ssh to::2022
      RETURN all -- 192.168.122.0/24 base-address.mcast.net/24
      RETURN all -- 192.168.122.0/24 broadcasthost.localdomain
      MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
      MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
      MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24


      Finally this is an example of what I see in syslog with the above rules:



      Oct 20 09:49:15 ubuntu kernel: [85149.812291] RAWPTRACE: IN=enp0s5 OUT= MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=10.211.55.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=40132 DF PROTO=TCP SPT=53245 DPT=2022 WINDOW=65535 RES=0x00 SYN URGP=0
      Oct 20 09:49:15 ubuntu kernel: [85149.812318] MGPTRACE: IN=enp0s5 OUT= MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=10.211.55.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=40132 DF PROTO=TCP SPT=53245 DPT=2022 WINDOW=65535 RES=0x00 SYN URGP=0
      Oct 20 09:49:15 ubuntu kernel: [85149.812326] NATPTRACE: IN=enp0s5 OUT= MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=10.211.55.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=40132 DF PROTO=TCP SPT=53245 DPT=2022 WINDOW=65535 RES=0x00 SYN URGP=0
      Oct 20 09:49:15 ubuntu kernel: [85149.812336] MGFTRACE: IN=enp0s5 OUT=virbr0 MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
      Oct 20 09:49:15 ubuntu kernel: [85149.812340] FORTRACE: IN=enp0s5 OUT=virbr0 MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
      Oct 20 09:49:15 ubuntu kernel: [85149.812354] RAWOTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]
      Oct 20 09:49:15 ubuntu kernel: [85149.812357] MGOTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]
      Oct 20 09:49:15 ubuntu kernel: [85149.812361] OUTTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]
      Oct 20 09:49:15 ubuntu kernel: [85149.812364] MGQTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]






      share|improve this question














      I installed libvirt out of the box on Ubuntu 16.04, it creates a virbr0 virtual bridge, at 192.168.122.0/24, a dnsmasq instance to serve that range and sets up basic NAT masquerading.



      I created a tap interface beneath that for my virtualization software to use. The software itself is able to access the internet and remainder of the network perfectly, so masquerading is working properly. I can also access the virtualization software ssh port from the host, using the IP address claimed by that software. So I think the routing tables "out of the box" are generally correct.



      What I want to do is port forward an inbound ssh connection from outside to this software, and the host system in general. Now the host system of course has ssh, and I need that to work. So I'm trying to use another port, such as port 2022.



      I've created a DNAT rule in iptables to direct inbound traffic on port 2022 to the IP address of the software at port 22. I get destination unreachable when I attempt to ssh in from the outside (ex. computer A below). It looks like the address translation is happening properly, but immediately after traversing to the "FORWARD" step in iptables, I start getting outbound unreachable ICMP packets.



      I'm stumped on how to proceed. I've tried some SNAT rules, but I either botched it or that's not the problem. Does anyone have ideas on this?



      UPDATE:
      Wireshark on tap0 does not show having received the forwarded packet. Whatever is returning the packet is not related to the virtualization software.



      Here's a picture of my network:



       ----------
      | Internet |
      ----------
      |
      |
      --------
      | Router | 10.211.255.1
      --------
      |
      |
      ____________|_______________
      | |
      ---------- ---------
      | | | enp0s5 | 10.211.255.4
      | Computer | 10.211.255.2 | Host | 192.168.122.1
      | A | | virbr0 |
      ---------- ---------
      |
      | LAN NAT 192.168.122.0/24
      |
      ----------
      | tap0 |
      | Guest OS | 192.168.122.118
      | |
      ----------


      Here are my IP tables rules:



      Chain INPUT (policy ACCEPT)
      target prot opt source destination
      LOG all -- anywhere anywhere LOG level debug prefix "INTRACE: "
      ACCEPT udp -- anywhere anywhere udp dpt:domain
      ACCEPT tcp -- anywhere anywhere tcp dpt:domain
      ACCEPT udp -- anywhere anywhere udp dpt:bootps
      ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

      Chain FORWARD (policy ACCEPT)
      target prot opt source destination
      LOG all -- anywhere anywhere LOG level debug prefix "FORTRACE: "
      ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
      ACCEPT all -- 192.168.122.0/24 anywhere
      ACCEPT all -- anywhere anywhere
      REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
      REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination
      LOG all -- anywhere anywhere LOG level debug prefix "OUTTRACE: "
      ACCEPT udp -- anywhere anywhere udp dpt:bootpc

      NAT tables:
      Chain PREROUTING (policy ACCEPT)
      target prot opt source destination
      LOG tcp -- anywhere anywhere tcp dpt:2022 LOG level debug prefix "NATPTRACE: "
      DNAT tcp -- anywhere anywhere tcp dpt:2022 to:192.168.122.118:22

      Chain INPUT (policy ACCEPT)
      target prot opt source destination
      LOG all -- anywhere anywhere LOG level debug prefix "NATITRACE: "

      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination
      LOG all -- anywhere anywhere LOG level debug prefix "NATOTRACE: "

      Chain POSTROUTING (policy ACCEPT)
      target prot opt source destination
      LOG all -- anywhere anywhere LOG level debug prefix "NATQTRACE: "
      SNAT tcp -- anywhere anywhere tcp spt:ssh to::2022
      RETURN all -- 192.168.122.0/24 base-address.mcast.net/24
      RETURN all -- 192.168.122.0/24 broadcasthost.localdomain
      MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
      MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
      MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24


      Finally this is an example of what I see in syslog with the above rules:



      Oct 20 09:49:15 ubuntu kernel: [85149.812291] RAWPTRACE: IN=enp0s5 OUT= MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=10.211.55.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=40132 DF PROTO=TCP SPT=53245 DPT=2022 WINDOW=65535 RES=0x00 SYN URGP=0
      Oct 20 09:49:15 ubuntu kernel: [85149.812318] MGPTRACE: IN=enp0s5 OUT= MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=10.211.55.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=40132 DF PROTO=TCP SPT=53245 DPT=2022 WINDOW=65535 RES=0x00 SYN URGP=0
      Oct 20 09:49:15 ubuntu kernel: [85149.812326] NATPTRACE: IN=enp0s5 OUT= MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=10.211.55.4 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=40132 DF PROTO=TCP SPT=53245 DPT=2022 WINDOW=65535 RES=0x00 SYN URGP=0
      Oct 20 09:49:15 ubuntu kernel: [85149.812336] MGFTRACE: IN=enp0s5 OUT=virbr0 MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
      Oct 20 09:49:15 ubuntu kernel: [85149.812340] FORTRACE: IN=enp0s5 OUT=virbr0 MAC=00:1c:42:3a:00:df:00:1c:42:00:00:08:08:00 SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
      Oct 20 09:49:15 ubuntu kernel: [85149.812354] RAWOTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]
      Oct 20 09:49:15 ubuntu kernel: [85149.812357] MGOTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]
      Oct 20 09:49:15 ubuntu kernel: [85149.812361] OUTTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]
      Oct 20 09:49:15 ubuntu kernel: [85149.812364] MGQTRACE: IN= OUT=enp0s5 SRC=10.211.55.4 DST=10.211.55.2 LEN=92 TOS=0x00 PREC=0xC0 TTL=64 ID=50608 PROTO=ICMP TYPE=3 CODE=3 [SRC=10.211.55.2 DST=192.168.122.118 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=40132 DF PROTO=TCP SPT=53245 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 ]








      share|improve this question













      share|improve this question




      share|improve this question








      edited Oct 20 '17 at 15:10

























      asked Oct 20 '17 at 14:57









      Darth Voidpointer

      213




      213




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote













          The problem was in the FORWARD rules. As I did not set them up, I was misinterpreting output from iptables --list.



          In that list rule 4 reads:



          ACCEPT all -- anywhere anywhere


          This appears to accept all incoming packets from anywhere bound to anywhere.



          However if I look at iptables -S rule 4 is actually:



          -A FORWARD -i virbr0 -o virbr0 -j ACCEPT


          Which is not going to be matched by a packet coming in from enp0s5 destined for vibr0. So it was hitting the REJECT rule 5, which was actually a reject for all packets destined for vibr0.



          The lesson I have learned is not to trust the output of iptables --list but rather to check iptables -S output when something seems wrong.






          share|improve this answer






















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f399368%2funable-to-port-forward-over-virtual-bridge-to-tap-interface%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            1
            down vote













            The problem was in the FORWARD rules. As I did not set them up, I was misinterpreting output from iptables --list.



            In that list rule 4 reads:



            ACCEPT all -- anywhere anywhere


            This appears to accept all incoming packets from anywhere bound to anywhere.



            However if I look at iptables -S rule 4 is actually:



            -A FORWARD -i virbr0 -o virbr0 -j ACCEPT


            Which is not going to be matched by a packet coming in from enp0s5 destined for vibr0. So it was hitting the REJECT rule 5, which was actually a reject for all packets destined for vibr0.



            The lesson I have learned is not to trust the output of iptables --list but rather to check iptables -S output when something seems wrong.






            share|improve this answer


























              up vote
              1
              down vote













              The problem was in the FORWARD rules. As I did not set them up, I was misinterpreting output from iptables --list.



              In that list rule 4 reads:



              ACCEPT all -- anywhere anywhere


              This appears to accept all incoming packets from anywhere bound to anywhere.



              However if I look at iptables -S rule 4 is actually:



              -A FORWARD -i virbr0 -o virbr0 -j ACCEPT


              Which is not going to be matched by a packet coming in from enp0s5 destined for vibr0. So it was hitting the REJECT rule 5, which was actually a reject for all packets destined for vibr0.



              The lesson I have learned is not to trust the output of iptables --list but rather to check iptables -S output when something seems wrong.






              share|improve this answer
























                up vote
                1
                down vote










                up vote
                1
                down vote









                The problem was in the FORWARD rules. As I did not set them up, I was misinterpreting output from iptables --list.



                In that list rule 4 reads:



                ACCEPT all -- anywhere anywhere


                This appears to accept all incoming packets from anywhere bound to anywhere.



                However if I look at iptables -S rule 4 is actually:



                -A FORWARD -i virbr0 -o virbr0 -j ACCEPT


                Which is not going to be matched by a packet coming in from enp0s5 destined for vibr0. So it was hitting the REJECT rule 5, which was actually a reject for all packets destined for vibr0.



                The lesson I have learned is not to trust the output of iptables --list but rather to check iptables -S output when something seems wrong.






                share|improve this answer














                The problem was in the FORWARD rules. As I did not set them up, I was misinterpreting output from iptables --list.



                In that list rule 4 reads:



                ACCEPT all -- anywhere anywhere


                This appears to accept all incoming packets from anywhere bound to anywhere.



                However if I look at iptables -S rule 4 is actually:



                -A FORWARD -i virbr0 -o virbr0 -j ACCEPT


                Which is not going to be matched by a packet coming in from enp0s5 destined for vibr0. So it was hitting the REJECT rule 5, which was actually a reject for all packets destined for vibr0.



                The lesson I have learned is not to trust the output of iptables --list but rather to check iptables -S output when something seems wrong.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Oct 20 '17 at 18:25









                Ned64

                2,44911035




                2,44911035










                answered Oct 20 '17 at 15:32









                Darth Voidpointer

                213




                213



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f399368%2funable-to-port-forward-over-virtual-bridge-to-tap-interface%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?