port redirection from kvm host to guest

By , January 23, 2012 2:58 am

I’ve just started using kvm in earnest, and immediately ran into the challenge of how to access my guest via ssh. My first instinct was to configure the guest in bridged mode, but this doesn’t work well (or at all) with wireless interfaces.

So plan B was to set up port redirection from the host to the guest, e.g. so that ssh’ing to localhost port 2222 would redirect to the guest’s port 22.

After a quick google, some fiddling with iptables, and a glance at the libvirt Networking wiki page, I was still having no luck. Then it hit me – my guest was using user-mode networking, and rather than getting its DHCP-allocated IP from the libvirtd-launched dnsmasq instance on the host, was receiving a hardcoded allocation of from the host which is on This can be extremely puzzling at first, because no network commands run on the host (such as ifconfig, iptables, brctl, route) will reveal this magic address, yet the host is still accessible from the guest via it.

After a lot more googling, I stumbled across a technique for configuring host to guest port redirection on a running VM. This sounded very promising, but virt-manager refused to accept the magic Control-Alt-2 key combination to switch to QEMU monitor mode. It turns out that this is no accident. However, since libvirt 0.8.8, the QEMU monitor can be accessed via virsh.
Note that the --hmp option is required, otherwise the monitor expects the command in JSON format, so omitting it leads to errors like error: internal error cannot parse json ... lexical error: invalid char in json text.

The final hurdle was figuring out the correct monitor command. The host_net_redir command as mentioned in the above article is no longer recognized. Luckily the QEMU monitor interface helped me out here – I spotted an encouraging sounding command hostfwd_add:

# virsh qemu-monitor-command --hmp sles11 'help hostfwd_add'
hostfwd_add [vlan_id name] [tcp|udp]:[hostaddr]:hostport-[guestaddr]:guestport -- redirect TCP or UDP connections from host to guest (requires -net user)

and google confirmed that the latter had superceded the former.

So finally we have the complete solution:

# virsh qemu-monitor-command --hmp sles11 'hostfwd_add ::2222-:22'
# ssh -p 2222 localhost
Last login: Mon Jan 23 00:37:44 2012
linux-mnsh:~ #


UPDATE: just found another very simple solution – add a new NIC to the VM which doesn’t use user-mode networking. Then it will get a IP (on by default) which is still NAT’d but also routable via virbr0 on the host, meaning no redirection is necessary; just ssh directly to the guest’s IP from the host. A minor disadvantage of this is that the guest won’t be directly reachable from outside the host, but that’s unlikely to be an issue in most scenarios.


8 Responses to “port redirection from kvm host to guest”

  1. Frank Martens says:

    Ok cool… but! If I shut down the KVM domain sles11 and restart it, will the port forward remain?

  2. Frank Martens says:

    Now here’s a problem… I’m not using “user-mode networking”… however it doesn’t seem to be forwarding the port automatically… i tried telneting to the port.

    Any idea on how the setup works with NAT on the host? I have a virbr0 adapter with address… however the KVM client picks up

    Which address is the real address?

  3. kvmuser says:

    Tried this solution, but it works only with some ports. It seems as if there is a problem with standard ports:
    virsh qemu-monitor-command –hmp sles11 ‘hostfwd_add ::80-:80’

    This is not working. Forwarding 8080 to 80 is working, but this is not what I want. Port 80 is not in use on the host, no iptables rules are blocking, … Any idea why this is not possible?

  4. kilmarnock says:

    I prefer the solution of steve.
    It is clean, single-point-of-messing-with-networking style.

  5. Girish says:


    I am facing same issue, i am loading windriver as guest OS on ubuntu host using KVM+Qemu.
    following command i am using to redirect tcp port :
    -redir tcp:2222::22

    But still getting error while i am trying to connect from host.
    following command i am using to connect from host:
    >$ ssh -p 2222 root@localhost -v

    it is failing with this error:

    ssh_exchange_identification: read: Connection reset by peer

    can you please guide me where i am doing mistake ?


Leave a Reply


Panorama Theme by Themocracy