i have a question about How to enable Internet access on kvm. I have situation like that: Internet traffic going through external firewall, I have ports 5000-5004 forwarded to my machine (interface em1). On kvm I have virtual interface which NAT that em1 to my kvm guest.

On host machine I have iptables setup:

iptables -t nat -A PREROUTING -p tcp --dport 5001 -j DNAT --to-destination

iptables -t nat -A POSTROUTING -p tcp -d --dport 5001 -j SNAT --to-source EXTERNAL-IP

Connection with ssh works correctly (ssh to port 5000 connect me to host, ssh to 5001 connect me to guest). I can ping from guest to host, but I cant install anything from repository, ping anything, etc. My host is sles12 and guest kvm is centos 7 Any idea?


You use SNAT in the wrong direction. There is no need for it with incoming connections. You need it when the VM initiates a connection:

iptables -t nat -A POSTROUTING -p tcp -s -j SNAT --to-source EXTERNAL-IP

where EXTERNAL-IP is the address of em1.

In general it helps a lot to use tcpdump on both interfaces. Then you see whether the packets have the correct addresses.

