Port Forwarding

HTTP(S) port 80 and 443

You can skip this step if either:

  1. You’re using a tunneling solution or
  2. You want to access your antlets only from within your local LAN / WiFi.

If, on the other hand, you want to access the web software you’ve installed in your antlets from the world and you do not use a tunneling solution, then port forwarding is what you want to do.

We have good news: This is only necessary once. After it’s done, you can access as many antlets using as many domains names as you like, without having to do any additional port forwarding.

What you need to do is forward ports 80 (HTTP) and 443 (HTTPS) to the private ip address of your antsle.

Login to antman on your antsle. The private ip address is displayed near the top left corner. Take note of the address (or simply copy it to the clipboard). This is the destination IP address you will enter in your router’s port forwarding table.

antman display of private ip address

The actual procedure differs from router to router. We recommend using sites like portforward.com in order to find specific instructions for your router model. Remember to forward ports 80 and 443 (use the same port numbers for both, source and destination.)

To forward a domain name to a specific antlet, see the Access antlets by Domain page.

Forwarding other ports

Another typical use case is forwarding ports for services other than HTTP/HTTPS - and we know you will be running a lot of other stuff! email, dns, mysql, minecraft...

The best thing is creating a so-called “libvirt hook”. That way, the port forwarding will automatically be enabled when the antlet starts, and discarded when the antlet stops.

For that, ssh into your antsle and then issue these commands:

mkdir -p /etc/libvirt/hooks
cd /etc/libvirt/hooks

Now that you are in the /etc/libvirt/hooks direcotry, use your favorite text editor, such as vim or nano, to create a file named qemu (assuming you want to forward into KVM antlets) with the contents shown below.
If forwarding into an LXC antlet, you can use the very same script. Just name it “lxc” instead of “qemu”.

#!/bin/bash
# used some from advanced script to have multiple ports: use an equal number of guest and host ports

echo `date` hook/qemu "${1}" "${2}" >>/root/hook.log

# Update the following variables to fit your setup
Guest_name=Win
Guest_ipaddr=10.1.1.12
Host_ipaddr=192.168.1.66
Host_port=(  '3389' )
Guest_port=( '3389' )

length=$(( ${#Host_port[@]} - 1 ))
if [ "${1}" = "${Guest_name}" ]; then
   if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               echo "kvm-Ho." >>/root/hook.log
               iptables -t nat -D PREROUTING -d ${Host_ipaddr} -p udp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -D FORWARD -d ${Guest_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${Guest_port[$i]} -j ACCEPT
               iptables -t nat -D PREROUTING -d ${Host_ipaddr} -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -D FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${Guest_port[$i]} -j ACCEPT
       done
   fi
   if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               echo "kvm-Hey." >>/root/hook.log
               iptables -t nat -A PREROUTING -d ${Host_ipaddr} -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -I FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${Guest_port[$i]} -j ACCEPT
               iptables -t nat -A PREROUTING -d ${Host_ipaddr} -p udp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -I FORWARD -d ${Guest_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${Guest_port[$i]} -j ACCEPT
       done
   fi
fi

Please adapt these lines to your needs:

Guest_name=Win
Guest_ipaddr=10.1.1.12
Host_ipaddr=192.168.1.66
Host_port=(  '3389' )
Guest_port=( '3389' )
  • Guest_name is the antlet name
  • Guest_ipaddr is the IP address of the antlet as seen in antMan
  • Host_ipaddr is the Private IP address of the antsle as seen in antMan
  • Host_port is the port number of the request comming in to the antsle
  • Guest_port is the tartget port number of the service on the antlet

The Host_port and Guest_port do not need to be the same:

Host_port=(  '13330' )
Guest_port=( '3389' )

This can be used to forward traffic to multiple antlets listening on the same port by setting a unique Host_port per antlet. This technique can also add a little security to well known ports.

You can add more ports if needed (use a space between port numbers)

Host_port=( ‘3389’ ‘4444’ ‘2211’)

If you need to forward ports into additional antlets, just duplicate the code within the same hook file. An example could look like this:

#!/bin/bash
# used some from advanced script to have multiple ports: use an equal number of guest and host ports

echo `date` hook/qemu "${1}" "${2}" >>/root/hook.log

# Update the following variables to fit your setup
Guest_name=Win
Guest_ipaddr=10.1.1.12
Host_ipaddr=192.168.1.66
Host_port=(  '3389' )
Guest_port=( '3389' )

length=$(( ${#Host_port[@]} - 1 ))
if [ "${1}" = "${Guest_name}" ]; then
   if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               echo "kvm-Ho." >>/root/hook.log
               iptables -t nat -D PREROUTING -d ${Host_ipaddr} -p udp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -D FORWARD -d ${Guest_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${Guest_port[$i]} -j ACCEPT
               iptables -t nat -D PREROUTING -d ${Host_ipaddr} -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -D FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${Guest_port[$i]} -j ACCEPT
       done
   fi
   if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               echo "kvm-Hey." >>/root/hook.log
               iptables -t nat -A PREROUTING -d ${Host_ipaddr} -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -I FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${Guest_port[$i]} -j ACCEPT
               iptables -t nat -A PREROUTING -d ${Host_ipaddr} -p udp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -I FORWARD -d ${Guest_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${Guest_port[$i]} -j ACCEPT
       done
   fi
fi

# Update the following variables to fit your setup
Guest_name=lamp
Guest_ipaddr=10.1.1.15
Host_ipaddr=192.168.1.66
Host_port=(  '3306' '21' ) # Expose MySQL and FTP ports
Guest_port=( '3306' '21' )

length=$(( ${#Host_port[@]} - 1 ))
if [ "${1}" = "${Guest_name}" ]; then
   if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               echo "kvm-Ho." >>/root/hook.log
               iptables -t nat -D PREROUTING -d ${Host_ipaddr} -p udp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -D FORWARD -d ${Guest_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${Guest_port[$i]} -j ACCEPT
               iptables -t nat -D PREROUTING -d ${Host_ipaddr} -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -D FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${Guest_port[$i]} -j ACCEPT
       done
   fi
   if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               echo "kvm-Hey." >>/root/hook.log
               iptables -t nat -A PREROUTING -d ${Host_ipaddr} -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -I FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${Guest_port[$i]} -j ACCEPT
               iptables -t nat -A PREROUTING -d ${Host_ipaddr} -p udp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -I FORWARD -d ${Guest_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${Guest_port[$i]} -j ACCEPT
       done
   fi
fi

IMPORTANT: Make sure there is no blank line before the first line (#!/bin/bash)
Note: Windows uses different line endings than linux which are not compatible. You may get errors if you edit in a Windows text editor.

And make make the file executable:

chmod a+x qemu
chmod a+x lxc

When the hook file is first created you may need to reboot the antsle. After this any edits to the hook file only requires a restart of the antlet.

If you have a second ethernet port enabled (br1, br2 or br3) and it has an IP address on the same network as br0. Use the Host_ipaddr of br0 when connecting to the antlet via the port.

192.168.1.66:3306