0

I want to connect to a virtual VM hosted by the server 1.2.3.4 using ssh. The IP of the VM is 10.10.10.100.

"nft list ruleset" prints:

 table inet filter { chain input { type filter hook input priority 0; policy drop; iif "lo" accept comment "Accept any localhost traffic" ct state invalid drop comment "Drop invalid connections" ct state established,related accept comment "Accept traffic originated from us" ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6" ip protocol icmp icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept comment "Accept ICMP" ip protocol igmp accept comment "Accept IGMP" tcp dport ssh accept comment "Accept SSH on port 22" tcp dport { http, https, 8008, http-alt } accept comment "Accept HTTP (ports 80, 443, 8008, 8080)" } chain forward { type filter hook forward priority 0; policy drop; } chain output { type filter hook output priority 0; policy accept; } } table ip nat { chain input { type nat hook input priority 0; policy accept; counter packets 3 bytes 180 } chain prerouting { type nat hook prerouting priority -101; policy accept; counter packets 12 bytes 2122 dnat to tcp dport map { 10100 : 10.10.10.100 }:tcp dport map { 10100 : ssh } } chain postrouting { type nat hook postrouting priority 0; policy accept; snat to ip saddr map { 1.2.3.4 : 10.10.10.100 } } }

"nmap -p10100 1.2.3.4" says: 10100/tcp filtered itap-ddtp

"ssh 1.2.3.4" works.

On Server "ssh 10.10.10.100" works

"sysctl net.ipv4.ip_forward" prints "net.ipv4.ip_forward = 1"

Improve this question

2 Answers 2

Reset to default
0

My problem was the incompatibility of virt-manager and nftables. virt-manager uses iptables.

Maybe there is a solution.

Using virt-manager is more important for me than using nftables.

Firewalld is Compatible with virt-manager, so in order to use virt-manager, I "must" learn Firewalld.

Improve this answer
0

Just created an account to try to answer your question. I had a similar problem. what I think you're missing is to allow the IP in the forward chain. Something like:

 chain forward { type filter hook forward priority 0; policy drop; ip daddr 10.10.10.100 ct status dnat accept; }

Hope this help with your issue.

Improve this answer
1
  • This does not really answer the question. If you have a different question, you can ask it by clicking Ask Question. To get notified when this question gets new answers, you can follow this question. Once you have enough reputation, you can also add a bounty to draw more attention to this question. - From Review Commented Mar 10, 2024 at 6:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.