Multipass Port Forwarding with IPTables

Multipass
1

Port Forwarding can be performed with IPTables to an instance from a Linux host.

FORWARD Chain
When adding an IPTables port forward, but sure to use the -I (capital i) to insert the rule. In the examples below, the rules are inserted at position 1 in the forward chain. Each time a rule is added, it just pushes the next ones down. The Insert chain is needed because the default is to insert Forward rules at the end of the Forward chain.

Forward Port 443 to Ubuntu multipass instance
sudo iptables -t nat -I PREROUTING 1 -i wlp1s0 -p tcp --dport 443 -j DNAT --to-destination 10.219.36.119:443
sudo iptables -I FORWARD 1 -p tcp -d 10.219.36.119 --dport 443 -j ACCEPT

Forward Port 3389 to Ubuntu multipass instance
sudo iptables -t nat -I PREROUTING 1 -i wlp1s0 -p tcp --dport 3389 -j DNAT --to-destination 10.219.36.120:3389
sudo iptables -I FORWARD 1 -p tcp -d 10.219.36.120 --dport 3389 -j ACCEPT

Those will be pushed to beginning of the Forward chain (Notice how port 80 rule was pushed down since 3389 was inserted at line 1):

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            10.219.36.120        tcp dpt:3389
ACCEPT     tcp  --  0.0.0.0/0            10.219.36.119        tcp dpt:80 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            /* generated for Multipass network mpqemubr0 */
ACCEPT     all  --  10.219.36.0/24       0.0.0.0/0            /* generated for Multipass network mpqemubr0 */
ACCEPT     all  --  0.0.0.0/0            10.219.36.0/24       ctstate RELATED,ESTABLISHED /* generated for Multipass network mpqemubr0 */
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            /* generated for Multipass network mpqemubr0 */ reject-with icmp-port-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            /* generated for Multipass network mpqemubr0 */ reject-with icmp-port-unreachable

and the PREROUTING rules will be added to the NAT table:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3389 to:10.219.36.120:3389
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.219.36.119:80

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  10.219.36.0/24      !10.219.36.0/24       /* generated for Multipass network mpqemubr0 */
MASQUERADE  udp  --  10.219.36.0/24      !10.219.36.0/24       /* generated for Multipass network mpqemubr0 */ masq ports: 1024-65535
MASQUERADE  tcp  --  10.219.36.0/24      !10.219.36.0/24       /* generated for Multipass network mpqemubr0 */ masq ports: 1024-65535
RETURN     all  --  10.219.36.0/24       255.255.255.255      /* generated for Multipass network mpqemubr0 */
RETURN     all  --  10.219.36.0/24       224.0.0.0/24         /* generated for Multipass network mpqemubr0 */

-duane

1 Like
2

hello, i have a ubuntu host with manual IP 10.111.0.6/24 configured on interface eno4 and

I have a primary VM in multipass on this host with IP 10.169.147.160/24

image

I want to route traffic received on 10.111.0.6 to the VM on port 443.

what i have written on the host is

sudo iptables -t nat -I PREROUTING 1 -i eno4 -p tcp --dport 443 -j DNAT --to-destination 10.169.147.160:443

sudo iptables -I FORWARD 1 -p tcp -d 10.169.147.160 --dport 443 -j ACCEPT

the routes are saved but I’m unable to access the server on 443.

3

@kyrofa can you please have a look and help me.

what am i doing wrong.

sudo iptables -t nat -I PREROUTING 1 -i eno4 -p tcp --dport 443 -j DNAT --to-destination 10.169.147.160:443
sudo iptables -I FORWARD 1 -p tcp -d 10.169.147.160 --dport 443 -j ACCEPT
4

Do you have a firewall on the VM and have port 443 allowed in?

Try running tcpdump and then browsing to: https://10.111.0.6 to see if the packets are coming through.

5

thank you @thedunston , the firewall on the VM is inactive.
image
The firewall on the host is also inactive
image
the VM is able to connect to the internet, and the VM is accessible from host

image
image737×225 73.7 KB

6

so what is wrong… it’s more like one way traffic is going through… :expressionless:

7

Did you run tcpdump to see if the traffic is getting through to multipass?

tcpdump -n -i any port 443

Then browse to https://10.111.0.6

8

Hello @thedunston, i changed the driver from qemu to lxd and everything is working fine, i tested it on a new VM, the pings and all are being replied to.

Will get a server setup and re-confirm.

Thank you for your help. :pray: