Making my KVM VMs accessible from the network

Question

I'm setting up a new home server with borderline-paranoid security as the goal.

As such, everything with open ports that can go in a VM, gets its own VM. I'm using Ubuntu Server as the host, because I like the free reboot-less kernel-patching.

I've set up four Debian VMs, connected to the default virtual bridge interface. I'm now at the point where I can see and access the ports that should be open from the host, but when I try to access them from my network, I fail. When looking at them with nmap, they show up as "filtered".

How do I make these ports accessible from the wider network? Can I forward the ports from my physical interface to the subnetwork on the bridge, or is it better to somehow make the guests use my actual router as their gateway, instead of the one built in to KVM?

Answer 1

or is it better to somehow make the guests use my actual router as their gateway, instead of the one built in to KVM?

There is no gateway built in to KVM (nor a "default bridge" either). Your VM host itself is the gateway – if you're using libvirt, then it just activates the Linux kernel's regular IP forwarding functionality (and creates a virbr0 for you).

This also means that your VM guests cannot access your actual LAN router directly – they're not on the same ethernet. That would be possible, but you would need to put the physical Ethernet interface (eth0) in the same bridge as your VMs.

It's up to you which method to use:

• You can let the host be a straightforward router, by configuring your LAN to recognize the VM subnet (i.e. adding static routes with the VM host specified as gateway). Other devices will be able to connect to VMs' addresses.

• You can let the host be a router with port-forwarding, by adding DNAT rules to iptables or nftables.

• You can let the host be a bridge, by placing its eth0 interface in the VM bridge (ip link set eth0 master virbr0) – this will directly place all VMs in your main LAN subnet.

(But on principle I would avoid NAT/port-forwarding in the middle of a network unless absolutely necessary, e.g. if the main LAN uses a “router” that doesn't support adding static routes, or some other unusual reason.)