My qemu hooks for port forwarding stopped working

I can connect to the guest with ssh from the host, but when I try from my windows laptop it doesn’t work. I can connect to the host’s ssh from the laptop. This worked a few weeks ago. I use this because I use wifi.



# IMPORTANT: Change the "VM NAME" string to match your actual VM Name.
# In order to create rules to other VMs, just duplicate the below block and configure
# it accordingly.
if [ "${1}" = "almalinux9" ] || [ "${1}" = "rocky9" ] || [ "${1}" = "almalinux8" ]; then

   # Update the following variables to fit your setup

   if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
    /sbin/iptables -D FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT
    /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT

    /sbin/iptables -D FORWARD -o virbr0 -p udp -d $GUEST_IP --dport $GUEST_PORT1 -j ACCEPT
    /sbin/iptables -t nat -D PREROUTING -p udp --dport $HOST_PORT1 -j DNAT --to $GUEST_IP:$GUEST_PORT1

    /sbin/iptables -D FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT2 -j ACCEPT
    /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2
   if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
    /sbin/iptables -I FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT -j ACCEPT
    /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT

    /sbin/iptables -I FORWARD -o virbr0 -p udp -d $GUEST_IP --dport $GUEST_PORT1 -j ACCEPT
    /sbin/iptables -t nat -I PREROUTING -p udp --dport $HOST_PORT1 -j DNAT --to $GUEST_IP:$GUEST_PORT1

    /sbin/iptables -I FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT2 -j ACCEPT
    /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2

The default network is available

sudo virsh net-list
[sudo] password for csaba:
 Name          State    Autostart   Persistent
 default       active   yes         yes
 macvtap-net   active   yes         yes
sudo iptables -L -n -v

Chain FORWARD (policy ACCEPT 364 packets, 28778 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     6    --  *      virbr0         tcp dpt:6543
    0     0 ACCEPT     17   --  *      virbr0         udp dpt:51820
    0     0 ACCEPT     6    --  *      virbr0         tcp dpt:22
5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:ab:cc:61 brd ff:ff:ff:ff:ff:ff
    inet brd scope global virbr0
       valid_lft forever preferred_lft forever

The debug ssh -vvv output from the laptop

debug2: ssh_connect_direct
debug1: Connecting to [] port 2222.
debug3: finish_connect - ERROR: async io completed with error: 10060, io:00000222AC81EF50
debug1: connect to address port 2222: Connection timed out
ssh: connect to host port 2222: Connection timed out

Guys any ideas? This is the one thing I actually use for my $dayjob… I don’t even know what to search for it’s so annoying. I have tried to connect from another device too, same problem.

Hey. I’m sure they are just busy at the moment. For now, try seaching for related terms through the forum, arch wiki, and web search.

I bumped because quite a few of my questions get lost in the ether.

I did search and I still do. I kind of have a general understanding of how all this works, but I’m missing something.

The hook script executes the commands.

The bridge device seems to work.

Might be the iptables commands that are not right, but I don’t understand iptables enough. That’s the next thing I will try to go over or change them to something else. Idk what changed with iptables, because they worked and got them from the qemu website.

I don’t really know either, but as far as qemu and iptables are concerned, you could try nftables instead. Pacman will ask you to replace, I think.

Install the userspace utilities package nftables or the git version nftables-gitAUR.

Alternatively, install iptables-nft, which includes nftables as a dependency, will automatically uninstall iptables (an indirect dependency of the base meta package) and prevent conflicts between iptables and nftables when used together.

Note: iptables-nft works by providing implementations of the iptables commands that actually create and act on the nftables rules. However, rules created using the old iptables-legacy tools are separate objects, and iptables-nft will warn you if they are present.

1 Like

In the latest version of libvirt, it is assumed that nftables are being used.

See here:

So try this - add the following line to your /etc/libvirt/network.conf file (and save):

firewall_backend = "iptables"


Thank you my man, this was so annoying. You’re a hero.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.