Port Forwarding

HTTP(S) port 80 and 443

You can skip this step if either:

  1. You’re using a tunneling solution or
  2. You want to access your antlets only from within your local LAN / WiFi.

If, on the other hand, you want to access the web software you’ve installed in your antlets from the world and you do not use a tunneling solution, then port forwarding is what you want to do.

We have good news: This is only necessary once. After it’s done, you can access as many antlets using as many domains names as you like, without having to do any additional port forwarding.

What you need to do is forward ports 80 (HTTP) and 443 (HTTPS) to the private ip address of your antsle.

Login to antman on your antsle. The private ip address is displayed near the top left corner. Take note of the address (or simply copy it to the clipboard). This is the destination IP address you will enter in your router’s port forwarding table.

antman display of private ip address

The actual procedure differs from router to router. We recommend using sites like portforward.com in order to find specific instructions for your router model. Remember to forward ports 80 and 443 (use the same port numbers for both, source and destination.)

To forward a domain name to a specific antlet, see the Access antlets by Domain page.

Forwarding other ports

Another typical use case is forwarding ports for services other than HTTP/HTTPS - and we know you will be running a lot of other stuff! email, dns, mysql, minecraft...

The best thing is creating a so-called “libvirt hook”. That way, the port forwarding will automatically be enabled when the antlet starts, and discarded when the antlet stops.

For that, ssh into your antsle and then issue these commands:

mkdir -p /etc/libvirt/hooks
cd /etc/libvirt/hooks

Now that you are in the /etc/libvirt/hooks directory, use your favorite text editor, such as vim or nano, to create a file named qemu (assuming you want to forward into KVM antlets) with the contents shown below.
If forwarding into an LXC antlet, you can use the very same script. Just name it “lxc” instead of “qemu”.

#!/bin/bash
# update: 11/16/2018

antlet_type=`basename "$0"`

# Update the following variables to fit your setup
# Use an equal number of host and guest ports
antlet_name=Ansible
antlet_ipaddr=10.1.1.10
host_ipaddr=192.168.1.3
host_ports=( '3001' )
antlet_ports=( '3001' )


# Perform actions
if [ "${1}" = "${antlet_name}" ]; then
  echo `date` hook/${antlet_type} "antlet ${1}" "${2}" >>/var/log/libvirt/hook.log
fi
length=$(( ${#host_ports[@]} - 1 ))
if [ "${1}" = "${antlet_name}" ]; then
   if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               echo "`date` hook/${antlet_type} antlet $antlet_name Closing port ${host_ports[$i]} ->  ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
               iptables -t nat -D PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
               iptables -D FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
               iptables -t nat -D PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
               iptables -D FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
       done
   fi
   if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               echo "`date` hook/${antlet_type} antlet $antlet_name Mapping port ${host_ports[$i]} ->  ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
               iptables -t nat -A PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
               iptables -I FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
               iptables -t nat -A PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
               iptables -I FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
       done
   fi
fi

Please adapt these lines to your needs:

antlet_name=Ansible
antlet_ipaddr=10.1.1.10
host_ipaddr=192.168.1.3
host_ports=( '3001' )
antlet_ports=( '3001' )
  • antlet_name is the antlet name (case sensitve)
  • antlet_ipaddr is the IP address of the antlet as seen in antMan
  • host_ipaddr is the Private IP address of the antsle as seen in antMan
  • host_ports is the port number(s) of the request comming in to the antsle
  • antlet_ports is the target port number(s) of the service on the antlet

The host_ports and antlet_ports do not need to be the same:

host_ports=(  '13330' )
antlet_ports=( '3389' )

This can be used to forward traffic to multiple antlets listening on the same port by setting a unique host_ports per antlet. This technique can also add a little security to well known ports.

You can add more ports if needed (use a space between port numbers)

host_ports=( ‘3389’ ‘4444’ ‘2211’)

If you need to forward ports into additional antlets, just duplicate the code within the same hook file. An example could look like this:

#!/bin/bash
# update: 11/16/2018

antlet_type=`basename "$0"`

# Update the following variables to fit your setup
# Use an equal number of host and guest ports
antlet_name=Ansible
antlet_ipaddr=10.1.1.10
host_ipaddr=192.168.1.66
host_ports=( '3001' )
antlet_ports=( '3001' )


# Perform actions
if [ "${1}" = "${antlet_name}" ]; then
  echo `date` hook/${antlet_type} "antlet ${1}" "${2}" >>/var/log/libvirt/hook.log
fi
length=$(( ${#host_ports[@]} - 1 ))
if [ "${1}" = "${antlet_name}" ]; then
   if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               echo "`date` hook/${antlet_type} antlet $antlet_name Closing port ${host_ports[$i]} ->  ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
               iptables -t nat -D PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
               iptables -D FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
               iptables -t nat -D PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
               iptables -D FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
       done
   fi
   if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               echo "`date` hook/${antlet_type} antlet $antlet_name Mapping port ${host_ports[$i]} ->  ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
               iptables -t nat -A PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
               iptables -I FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
               iptables -t nat -A PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
               iptables -I FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
       done
   fi
fi


# Update the following variables to fit your setup
# Use an equal number of host and guest ports
antlet_name=lamp
antlet_ipaddr=10.1.1.15
host_ipaddr=192.168.1.66
host_ports=( '3306' '21' ) # Expose MySQL and FTP ports
antlet_ports=( '3306' '21' )

# Perform actions
if [ "${1}" = "${antlet_name}" ]; then
  echo `date` hook/${antlet_type} "antlet ${1}" "${2}" >>/var/log/libvirt/hook.log
fi
length=$(( ${#host_ports[@]} - 1 ))
if [ "${1}" = "${antlet_name}" ]; then
   if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               echo "`date` hook/${antlet_type} antlet $antlet_name Closing port ${host_ports[$i]} ->  ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
               iptables -t nat -D PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
               iptables -D FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
               iptables -t nat -D PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
               iptables -D FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
       done
   fi
   if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               echo "`date` hook/${antlet_type} antlet $antlet_name Mapping port ${host_ports[$i]} ->  ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
               iptables -t nat -A PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
               iptables -I FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
               iptables -t nat -A PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
               iptables -I FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
       done
   fi
fi

IMPORTANT: Make sure there is no blank line before the first line (#!/bin/bash)
Note: Only make edits to the hook file when the antlet is Stopped.
Note: Windows uses different line endings than linux which are not compatible. You may get errors if you edit in a Windows text editor.

And make make the file executable:

chmod a+x qemu
chmod a+x lxc

When the hook file is first created you may need to reboot the antsle but is not required for future edits. Make edits to the hook file only when the antlet is Stopped.

If you have a second ethernet port enabled (br1, br2 or br3) and it has an IP address on the same network as br0. Use the host_ipaddr of br0 when connecting to the antlet via the port.

192.168.1.66:3306