Port Forwarding

You can skip this step if:

  1. You are using a tunneling solution in the antlet.

  2. You are accessing a web server on the antlet using the onboard nginx reverse-proxy

If, on the other hand, you want to access other services you’ve installed in your antlets, then port forwarding is one way to achieve this.

Port Forwarding Rules

To start, navigate to the 'Port Forwarding' page from the sidebar.

Create a Port Forwarding Rule

A port forwarding rule will route traffic going through a specified port on your Antsle, called the Source Port to a specified port on a Destination antlet within your Antsle, called the Destination Port.

To configure a port forwarding rule, click 'Add new' on the right-hand corner of the 'Port Forwarding Rules' table.

Configure the port forwarding rule as below:

Field

Description

Values

Protocol

Specify the protocol of the traffic that will be allowed with this rule

tcp, udp, or both

Source IP

Private IP of the Antsle

Pre-populated

Source Port

Port on the Antsle where traffic will be routed to from outside the Antsle

Destination antlet

antlet where traffic will be routed to from the Source

Destination Port

Port on the destination antlet where traffic will be routed to from the Source

Enabled?

Toggle the port forwarding rule

Enable a Port Forwarding Rule

Enabling a port forwarding rule takes a port forwarding rule configuration and actively routes the traffic. If left disabled, the port forwarding rule configuration will be saved, but the traffic will not be routed between the Antsle and the antlet.

To enable a port forwarding rule, click the checkbox as pictured below.

Then confirm by clicking 'Yes, enable this rule!'

Edit a Port Forwarding Rule

To make changes to the port forwarding rule configuration, click the 'Edit' button, as pictured below.

Make any changes as desired, and click 'Save Configuration'.

Although a Port Forwarding Rule is enabled, traffic may not reach the Destination antlet if the Destination Port is blocked by the antlet's firewall. In order to accept traffic coming into an antlet from your Antsle, you will need to open that port using a firewall tool appropriate for the antlet's OS (e.g. firewalld , iptables, Windows Firewall).

Delete a Port Forwarding Rule

Deleting a port forwarding rule will permanently remove the configuration from antMan.

If you would like to disable a port forwarding rule without removing the configuration, simply click the blue checkbox to disable the rule instead. Disabling the rule will prevent traffic from forwarding, while still keeping the configuration in case you need it for later.

To delete a port forwarding rule, click the 'Delete' button as pictured below.

Confirm deletion by clicking 'Yes, delete this rule!'

Port Forwarding via 'hooks' file

If you do not have a plan that enables the port forwarding feature, then you can create a “libvirt hook”. This way, the port forwarding will be enabled when the antlet starts, and discarded when the antlet stops.

For that, ssh into your antsle and then issue these commands:

mkdir -p /etc/libvirt/hooks
cd /etc/libvirt/hooks

Now that you are in the /etc/libvirt/hooks directory, use your favorite text editor, such as vim or nano, to create a file named 'qemu' for port forwarding rules to KVM antlets. Name the file 'lxc' if creating port forwarding rules for LXC antlets. Add the contents shown below.

#!/bin/bash
# update: 11/16/2018
antlet_type=`basename "$0"`
# Update the following variables to fit your setup
# Use an equal number of host and guest ports
antlet_name=Ansible
antlet_ipaddr=10.1.1.10
host_ipaddr=192.168.1.3
host_ports=( '3001' )
antlet_ports=( '3001' )
# Perform actions
if [ "${1}" = "${antlet_name}" ]; then
echo `date` hook/${antlet_type} "antlet ${1}" "${2}" >>/var/log/libvirt/hook.log
fi
length=$(( ${#host_ports[@]} - 1 ))
if [ "${1}" = "${antlet_name}" ]; then
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
echo "`date` hook/${antlet_type} antlet $antlet_name Closing port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
done
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
echo "`date` hook/${antlet_type} antlet $antlet_name Mapping port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
done
fi
fi

Please adapt these lines to your needs:

antlet_name=Ansible
antlet_ipaddr=10.1.1.10
host_ipaddr=192.168.1.3
host_ports=( '3001' )
antlet_ports=( '3001' )
  • antlet_name is the antlet name (case sensitve)

  • antlet_ipaddr is the IP address of the antlet as seen in antMan

  • host_ipaddr is the Private IP address of the antsle as seen in antMan

  • host_ports is the port number(s) of the request comming in to the antsle

  • antlet_ports is the target port number(s) of the service on the antlet

The host_ports and antlet_ports do not need to be the same:

host_ports=( '13330' )
antlet_ports=( '3389' )

This can be used to forward traffic to multiple antlets listening on the same port by setting a unique host_ports per antlet. This technique can also add a little security to well known ports.

You can add more ports if needed (use a space between port numbers)

host_ports=( ‘3389’ ‘4444’ ‘2211’)
antlet_ports=( '3389' '4444' '2211')

If you need to forward ports into additional antlets, just duplicate the code within the same hook file. An example could look like this:

#!/bin/bash
# update: 11/16/2018
antlet_type=`basename "$0"`
# Update the following variables to fit your setup
# Use an equal number of host and guest ports
antlet_name=Ansible
antlet_ipaddr=10.1.1.10
host_ipaddr=192.168.1.66
host_ports=( '3001' )
antlet_ports=( '3001' )
# Perform actions
if [ "${1}" = "${antlet_name}" ]; then
echo `date` hook/${antlet_type} "antlet ${1}" "${2}" >>/var/log/libvirt/hook.log
fi
length=$(( ${#host_ports[@]} - 1 ))
if [ "${1}" = "${antlet_name}" ]; then
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
echo "`date` hook/${antlet_type} antlet $antlet_name Closing port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
done
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
echo "`date` hook/${antlet_type} antlet $antlet_name Mapping port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
done
fi
fi
# Update the following variables to fit your setup
# Use an equal number of host and guest ports
antlet_name=lamp
antlet_ipaddr=10.1.1.15
host_ipaddr=192.168.1.66
host_ports=( '3306' '21' ) # Expose MySQL and FTP ports
antlet_ports=( '3306' '21' )
# Perform actions
if [ "${1}" = "${antlet_name}" ]; then
echo `date` hook/${antlet_type} "antlet ${1}" "${2}" >>/var/log/libvirt/hook.log
fi
length=$(( ${#host_ports[@]} - 1 ))
if [ "${1}" = "${antlet_name}" ]; then
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
echo "`date` hook/${antlet_type} antlet $antlet_name Closing port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
done
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
echo "`date` hook/${antlet_type} antlet $antlet_name Mapping port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
done
fi
fi

IMPORTANT: Make sure there is no blank line before the first line (#!/bin/bash) Note: Only make edits to the hook file when the antlet is Stopped. Note: Windows uses different line endings than linux which are not compatible. You may get errors if you edit in a Windows text editor.

And make make the file executable:

chmod a+x qemu
chmod a+x lxc

When the hook file is first created you may need to reboot the antsle but is not required for future edits. Make edits to the hook file only when the antlet is Stopped.

If you have a second ethernet port enabled (br1, br2 or br3) and it has an IP address on the same network as br0. Use the host_ipaddr of br0 when connecting to the antlet via the port.