Quote from Joe on March 4, 2020, 8:25 am

Hi,

Antsle dev here. We ran into issues integrating firewalld and our other virtualization tools, so starting with 3.0.0d, iptables will be used to create port forwarding rules.

To check if your rules are intact in your command line, run

iptables -t nat -L

If you don't see your port forwarding rule there, try disabling and re-enabling your port forwarding rule on antMan and give it another shot.

-Joe

Quote from soneill on March 5, 2020, 9:39 am

Well, progress 🙂  Looks like antlet creation still doesn't create anything related to port forwarding.

Manual port forward creation does work as this shows.  I created a 22011 forward pointing to the same antlet that 22010 should be there for.  Accessing port 22011 via SSH does work now remotely.

iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
DNAT tcp -- anywhere myantsle tcp dpt:22011 to:10.1.1.10:22

<snip>

But .. I just discovered that manual port forwarding is not persisted within iptables.  If you reboot you Nano, it's gone from iptables.   It still exists within Antman as a definition.  You have to disable and reenable it in Antman to get it back in iptables.

So fixing is still in progress apparently.

Quote from soneill on March 5, 2020, 10:00 am

Actually a question related to my post above.  Is the intent that antlet creation port forwards will also show in the Port Forward antman web page along side with manually created port fowards ?

I would think so but just asking.

Oh, and if that is the intent, it would be nice if the port forward screen indicated whether a port forward is a result of manual creation or antlet creation.  Just a feature suggestion.

Quote from jared_85k on March 5, 2020, 8:58 pm

This is affecting Edgelinux 2.0.

As a workaround until support can resolve the issue, I use libvirt hooks method with a few modifications so that I just update a file with the config I wan't and let libvirt update ipdables when I start and stop antlets.

Modified libvirt hook at "/etc/libvirt/hooks/lxc":

 

  GNU nano 2.3.1                                        File: lxc                                                                                        

#!/bin/bash

# update: 10/24/2018

antlet_type=`basename "$0"`

echo `date` hook/${antlet_type} "antlet ${1}" "${2}" >>/var/log/libvirt/hook.log

# Update the following variables to fit your setup

# Use an equal number of host and guest ports

while IFS=: read -r antlet_name antlet_ipaddr antlet_ports_list host_ipaddr host_ports_list; do

IFS=, read -r -a antlet_ports <<<$antlet_ports_list

IFS=, read -r -a host_ports <<<$host_ports_list

# Update iptables

length=$(( ${#host_ports[@]} - 1 ))

if [ "${1}" = "${antlet_name}" ]; then

   if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then

       for i in `seq 0 $length`; do

               echo "`date` hook/${antlet_type} antlet $antlet_name Closing port ${host_ports[$i]} ->  ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log

               iptables -t nat -D PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}

               iptables -D FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT

               iptables -t nat -D PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}

               iptables -D FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT

       done

   fi

   if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then

       for i in `seq 0 $length`; do

               echo "`date` hook/${antlet_type} antlet $antlet_name Mapping port ${host_ports[$i]} ->  ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log

               iptables -t nat -A PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}

               iptables -I FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT

               iptables -t nat -A PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}

               iptables -I FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT

       done

   fi

fi

done < /etc/libvirt/hooks/antlets_lxc

Then I created the file /etc/libvirt/hooks/antlets_lxc

In this file I place the information for the portforwarding that I want, each line is a config for an antlet.

{antlet-name}:{antlet-ipaddress}:{ports-to-forward-comma-delemited}:{antsle-machine-ip}:{ports-forwarded-comma-delimited}

example - where 192.168.1.1 is the ip of my antsle:

antlet-01:10.1.1.10:22,80:192.168.1.1:22010:80022

antlet-02:10.1.1.11:22:192.168.1.1:22011

This will forward ports 22010 to port 22 and 80010 to port 80 of my antlet-01 and port 22011 to port 22 of my antlet-02.

When you shut off an antlet the forwarded ports will be removed from iptables, when you start an antlet they will be added.

Routes are not persisted through an antsle restart, but when the antlets are started via web app or at boot, the iptables is updated.

Cheers!

Quote from soneill on March 6, 2020, 7:22 am

Nice, everyday is a school day.  Thanks for sharing that 🙂

Quote from Stephan on March 21, 2020, 7:18 am

I added a static route on my router between 192.168.1.x and 10.1.1.x

 

SD

Quote from the_threat_of_love on March 29, 2020, 3:24 pm

Creating a static route like this solved my issue.

• Destination Network: 10.1.1.0
• Subnet Mask: 255.255.255.0
• Default Gateway: LAN IP of Antsle machine (192.168.X.X)

Then I could see a trivial web app I had up at 10.1.1.10.