Docs
Search…
Port Forwarding
You can skip this step if:
  1. 1.
    You are using a tunneling solution in the antlet.
  2. 2.
    You are accessing a web server on the antlet using the onboard nginx reverse-proxy
If, on the other hand, you want to access other services you’ve installed in your antlets, then port forwarding is one way to achieve this.

Port Forwarding Rules

To start, navigate to the 'Port Forwarding' page from the sidebar.

Create a Port Forwarding Rule

A port forwarding rule will route traffic going through a specified port on your Antsle, called the Source Port to a specified port on a Destination antlet within your Antsle, called the Destination Port.
To configure a port forwarding rule, click 'Add new' on the right-hand corner of the 'Port Forwarding Rules' table.
Configure the port forwarding rule as below:
Field
Description
Values
Protocol
Specify the protocol of the traffic that will be allowed with this rule
tcp, udp, or both
Source IP
Private IP of the Antsle
Pre-populated
Source Port
Port on the Antsle where traffic will be routed to from outside the Antsle
Destination antlet
antlet where traffic will be routed to from the Source
Destination Port
Port on the destination antlet where traffic will be routed to from the Source
Enabled?
Toggle the port forwarding rule

Enable a Port Forwarding Rule

Enabling a port forwarding rule takes a port forwarding rule configuration and actively routes the traffic. If left disabled, the port forwarding rule configuration will be saved, but the traffic will not be routed between the Antsle and the antlet.
To enable a port forwarding rule, click the checkbox as pictured below.
Then confirm by clicking 'Yes, enable this rule!'

Edit a Port Forwarding Rule

To make changes to the port forwarding rule configuration, click the 'Edit' button, as pictured below.
Make any changes as desired, and click 'Save Configuration'.
Although a Port Forwarding Rule is enabled, traffic may not reach the Destination antlet if the Destination Port is blocked by the antlet's firewall. In order to accept traffic coming into an antlet from your Antsle, you will need to open that port using a firewall tool appropriate for the antlet's OS (e.g. firewalld , iptables, Windows Firewall).

Delete a Port Forwarding Rule

Deleting a port forwarding rule will permanently remove the configuration from antMan.
If you would like to disable a port forwarding rule without removing the configuration, simply click the blue checkbox to disable the rule instead. Disabling the rule will prevent traffic from forwarding, while still keeping the configuration in case you need it for later.
To delete a port forwarding rule, click the 'Delete' button as pictured below.
Confirm deletion by clicking 'Yes, delete this rule!'

Port Forwarding via 'hooks' file

If you do not have a plan that enables the port forwarding feature, then you can create a “libvirt hook”. This way, the port forwarding will be enabled when the antlet starts, and discarded when the antlet stops.
For that, ssh into your antsle and then issue these commands:
1
mkdir -p /etc/libvirt/hooks
2
cd /etc/libvirt/hooks
Copied!
Now that you are in the /etc/libvirt/hooks directory, use your favorite text editor, such as vim or nano, to create a file named 'qemu' for port forwarding rules to KVM antlets. Name the file 'lxc' if creating port forwarding rules for LXC antlets. Add the contents shown below.
1
#!/bin/bash
2
# update: 11/16/2018
3
4
antlet_type=`basename "$0"`
5
6
# Update the following variables to fit your setup
7
# Use an equal number of host and guest ports
8
antlet_name=Ansible
9
antlet_ipaddr=10.1.1.10
10
host_ipaddr=192.168.1.3
11
host_ports=( '3001' )
12
antlet_ports=( '3001' )
13
14
15
# Perform actions
16
if [ "${1}" = "${antlet_name}" ]; then
17
echo `date` hook/${antlet_type} "antlet ${1}" "${2}" >>/var/log/libvirt/hook.log
18
fi
19
length=$(( ${#host_ports[@]} - 1 ))
20
if [ "${1}" = "${antlet_name}" ]; then
21
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
22
for i in `seq 0 $length`; do
23
echo "`date` hook/${antlet_type} antlet $antlet_name Closing port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
24
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
25
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
26
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
27
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
28
done
29
fi
30
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
31
for i in `seq 0 $length`; do
32
echo "`date` hook/${antlet_type} antlet $antlet_name Mapping port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
33
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
34
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
35
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
36
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
37
done
38
fi
39
fi
Copied!
Please adapt these lines to your needs:
1
antlet_name=Ansible
2
antlet_ipaddr=10.1.1.10
3
host_ipaddr=192.168.1.3
4
host_ports=( '3001' )
5
antlet_ports=( '3001' )
Copied!
  • antlet_name is the antlet name (case sensitve)
  • antlet_ipaddr is the IP address of the antlet as seen in antMan
  • host_ipaddr is the Private IP address of the antsle as seen in antMan
  • host_ports is the port number(s) of the request comming in to the antsle
  • antlet_ports is the target port number(s) of the service on the antlet
The host_ports and antlet_ports do not need to be the same:
1
host_ports=( '13330' )
2
antlet_ports=( '3389' )
Copied!
This can be used to forward traffic to multiple antlets listening on the same port by setting a unique host_ports per antlet. This technique can also add a little security to well known ports.
You can add more ports if needed (use a space between port numbers)
1
host_ports=( ‘3389’ ‘4444’ ‘2211’)
2
antlet_ports=( '3389' '4444' '2211')
Copied!
If you need to forward ports into additional antlets, just duplicate the code within the same hook file. An example could look like this:
1
#!/bin/bash
2
# update: 11/16/2018
3
4
antlet_type=`basename "$0"`
5
6
# Update the following variables to fit your setup
7
# Use an equal number of host and guest ports
8
antlet_name=Ansible
9
antlet_ipaddr=10.1.1.10
10
host_ipaddr=192.168.1.66
11
host_ports=( '3001' )
12
antlet_ports=( '3001' )
13
14
15
# Perform actions
16
if [ "${1}" = "${antlet_name}" ]; then
17
echo `date` hook/${antlet_type} "antlet ${1}" "${2}" >>/var/log/libvirt/hook.log
18
fi
19
length=$(( ${#host_ports[@]} - 1 ))
20
if [ "${1}" = "${antlet_name}" ]; then
21
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
22
for i in `seq 0 $length`; do
23
echo "`date` hook/${antlet_type} antlet $antlet_name Closing port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
24
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
25
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
26
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
27
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
28
done
29
fi
30
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
31
for i in `seq 0 $length`; do
32
echo "`date` hook/${antlet_type} antlet $antlet_name Mapping port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
33
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
34
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
35
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
36
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
37
done
38
fi
39
fi
40
41
42
# Update the following variables to fit your setup
43
# Use an equal number of host and guest ports
44
antlet_name=lamp
45
antlet_ipaddr=10.1.1.15
46
host_ipaddr=192.168.1.66
47
host_ports=( '3306' '21' ) # Expose MySQL and FTP ports
48
antlet_ports=( '3306' '21' )
49
50
# Perform actions
51
if [ "${1}" = "${antlet_name}" ]; then
52
echo `date` hook/${antlet_type} "antlet ${1}" "${2}" >>/var/log/libvirt/hook.log
53
fi
54
length=$(( ${#host_ports[@]} - 1 ))
55
if [ "${1}" = "${antlet_name}" ]; then
56
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
57
for i in `seq 0 $length`; do
58
echo "`date` hook/${antlet_type} antlet $antlet_name Closing port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
59
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
60
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
61
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
62
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
63
done
64
fi
65
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
66
for i in `seq 0 $length`; do
67
echo "`date` hook/${antlet_type} antlet $antlet_name Mapping port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
68
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
69
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
70
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
71
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
72
done
73
fi
74
fi
Copied!
IMPORTANT: Make sure there is no blank line before the first line (#!/bin/bash) Note: Only make edits to the hook file when the antlet is Stopped. Note: Windows uses different line endings than linux which are not compatible. You may get errors if you edit in a Windows text editor.
And make make the file executable:
1
chmod a+x qemu
2
chmod a+x lxc
Copied!
When the hook file is first created you may need to reboot the antsle but is not required for future edits. Make edits to the hook file only when the antlet is Stopped.
If you have a second ethernet port enabled (br1, br2 or br3) and it has an IP address on the same network as br0. Use the host_ipaddr of br0 when connecting to the antlet via the port.
Last modified 1yr ago