Use libvirt to add a network with NAT forwarding to an interface. It will add most of the iptables rules for you. It should looks something like below.
Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 10.7.0.0/24 state RELATED,ESTABLISHED ACCEPT all -- 10.7.0.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
“iptables -t nat -L”:
Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE tcp -- 10.7.0.0/24 !10.7.0.0/24 masq ports: 1024-65535 MASQUERADE udp -- 10.7.0.0/24 !10.7.0.0/24 masq ports: 1024-65535 MASQUERADE all -- 10.7.0.0/24 !10.7.0.0/24
The outward-going iptables chains are already there. To allow incoming packets and 1:1 port mapping, add the following. Change addresses and interface names as needed.
iptables -I FORWARD -i eth1 -o virbr1 -d 10.7.0.0/24 -j ACCEPT iptables -t nat -i eth1 -j DNAT --to-destination=10.7.0.1
Note: the first rule is the same rule as rule #1 in FORWARD but without the ESTABLISHED state condition.
To make the iptables permanent, use either “iptables-save” or add the rules to /etc/sysconfig/iptables. Everything should work at this point. If not, make sure forwarding is enabled.
echo "1" > /proc/sys/net/ipv4/ip_forward #permanently set forwarding in /etc/sysctl.conf