ssh into kvm-clients
Phil Meyer
pmeyer at themeyerfarm.com
Mon May 31 16:48:26 UTC 2010
On 05/30/2010 11:02 AM, brizly vaan van Ulciputz wrote:
> Hello Everyone,
>
> ich wonder why i am not able to ssh-in in this case:
>
> i have an kvm-'server' running 4 'guests'.
>
> the guests are behind nat (default in kvm?).
>
> running fresh fedora on all machine (host and guest), installed from
> live-cd, enabled sshd and made sure system-config-firewall allows
> ssh-in, i am not able to reach the guests by ssh.
>
> i can ping them, by there from kvm-server given ip, by
> openvpn-client-ip, all good.
> [brizly at s28 ~]$ ping 192.168.24.22
> PING 192.168.24.22 (192.168.24.22) 56(84) bytes of data.
> 64 bytes from 192.168.24.22: icmp_seq=1 ttl=64 time=2.50 ms
> 64 bytes from 192.168.24.22: icmp_seq=2 ttl=64 time=1.80 ms
> 64 bytes from 192.168.24.22: icmp_seq=3 ttl=64 time=2.01 ms
>
>
> but ssh - i just got:
> [brizly at s28 ~]$ ssh 192.168.24.22
> ssh: connect to host 192.168.24.22 port 22: No route to host
>
>
> i don't know were to start searching, firewall, selinux, openvpn...
>
> Other openvpn-clients - installed the same way, but 'real' machines, not
> kvm-clients - are reachable. although from kvm-client to outside-host.
>
> Any ideas?
>
>
You will notice that qemu when running in NATed mode will set up rules
for iptables by default. In effect, a NATed interface accepts NO
inbound connections, and qemu insures that with iptables rules.
There are at least two ways to allow ssh to a KVM based guest that is NATed.
One method involves the qemu automatically starting a deamon on the host
that listens on a port you specify and redirects traffic on that port to
a port you specify on the VM. This requires adding an appropriate '-net
user' rule to the the qemu process when it runs. Virt Manager does not
have an interface into all of the qemu options, so you will have to edit
the xml file by hand to add it. And if you make a change to the guest
using Virt manager, you could your changes.
Since qemu uses iptables to implement its NATed firewall for the KVMs,
you can also use iptables to allow ports into guests.
The qemu rules are added dynamically, so you can't modify those
particular rules, but you can add permanent rules that allow what you
want, even when the qemu NAT is in place.
I think that the rule set qemu uses is called DNAT by default, so we add:
-A PREROUTING -i eth0 -p tcp -m tcp -d <IP> --dport 22 -j DNAT
--to-destination <VMIP>
For each VM.
I realize that this is sketchy, but it would be inappropriate to show
real IPs and destinations in a mailing list posting. :)
Hopefully, this is enough of a pointer to be of some help.
Good luck!
More information about the users
mailing list