QEMU hostfwd works only for some ports

Issue

I compiled qemu-system-x86_64 on aarch64 host, and was able to run a x86_64 guest with a command like

qemu-system-x86_64 -m 4096 -drive file=vmimage.qcow2,if=virtio \
           -boot once=c,menu=on -net nic,model=virtio-net-pci \
           -net user,hostfwd=tcp::8080-:80,hostfwd=tcp::22222-:22

I could ssh into the guest using

ssh -p22222 user@localhost

Meanwhile, port 80 was not forwarded successfully.

For debugging, I used nc to listen to port 80 inside the guest

nc -l 80

Then in the host, I connected to the forwarded port

nc localhost 8080

However, it was unable to connect to guest nc .

I tried the monitor interface. When the host nc command is executed, info usernet shows following:

(qemu) info usernet
Hub 0 (#net162):
  Protocol[State]    FD  Source Address  Port   Dest. Address  Port RecvQ SendQ
  TCP[SYN_SENT]      33       127.0.0.1  8080       10.0.2.15    80     0     0
  TCP[ESTABLISHED]   21       127.0.0.1 22222       10.0.2.15    22     0     0
  TCP[HOST_FORWARD]  12               *  8080       10.0.2.15    80     0     0
  TCP[HOST_FORWARD]  11               * 22222       10.0.2.15    22     0     0
...

I believe the SYN_SENT (FD 33) corresponded to the host nc command, and this matched the HOST_FORWARD line (FD 12). However, it never became ESTABLISHED. And a few seconds later, nc died with Connection reset by peer. , and the FD 33 line disappeared.

If I nc localhost 22222, I can see the OpenSSH banner.

So it seems only port 22 forwarded. Any idea about the cause or how to debug?

Both host and guest had no firewalliptables configured, and SELinux is permissive.

Thanks

Edit:

As a temporary workaround, I configured a second nic, and used port 22 of the new interface for forwarding my service. I also switch to the newer -nic option, but hostfwd still worked for port 22 only.

qemu-system-x86_64 -m 4096 -drive file=vmimage.qcow2,if=virtio \
                   -boot once=c,menu=on \
                   -nic user,model=virtio-net-pci,hostfwd=tcp::60022-:22 \
                   -nic user,model=virtio-net-pci,net=10.0.3.0/24,hostfwd=tcp::8080-10.0.3.15:22

To forward successfully, I also need to

• Configure sshd to listen to port 22 the first nic only.
• Configure my service to listen to port 22 of the second nic.
• Configure the second nic to use a different network. Otherwise, both nics were assigned the same IP (10.0.2.15. I may better hardcode the IP for both nics.)

Solution

The problem was actually about firewall. My VM (based on Oracle Linux 8.5 on Oracle Linux VM Templates) actually had firewall rules in both iptables and nft. After disabling both iptables and nft, the port forward worked.

Answered By - Fat P