SSH into gnome boxes VM

Project Discussion
1

Hi,
I would like to run a server on my home pc. I don’t want to run it directly since i want to give a few friends ssh access to that server but i don’t want my other devices to get exposed to that server or my friends. I figured a safe way to do it, is to setup a vm, set the DMZ and Nat in my router so that people can ssh into my fixed router IP, which will be forwarded to the IP of my fedora pc, which further forwards it to the VM.

Thus far im able to ssh into my fedora pc from within my network as from outside.

I checked my IPs on my fedora pc with:

ip addr | grep 192.168
    inet 192.168.1.188/24 brd 192.168.1.255 scope global noprefixroute enp4s0
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0

and i assume that 192.168.122.1 is the IP of my VM since it says there virbr0, right? Im so far not able to SSH into my VM.
I would be grateful for any help.

I set up the forwarding with:
iptables -t nat -I PREROUTING -p tcp -d 199.168.104.49 --dport 22 -j DNAT --to-destination 192.168.122.20:22
iptables -I FORWARD -m state -d 192.168.122.20/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT

when i check with iptables -L -n:

iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_INP  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            192.168.122.0/24     state NEW,RELATED,ESTABLISHED
LIBVIRT_FWX  all  --  0.0.0.0/0            0.0.0.0/0           
LIBVIRT_FWI  all  --  0.0.0.0/0            0.0.0.0/0           
LIBVIRT_FWO  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_OUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_FWI (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
target     prot opt source               destination         
ACCEPT     all  --  192.168.122.0/24     0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_INP (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain LIBVIRT_OUT (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:68
[root@localhost waterbox]#
2

You topic mentions GNOME Boxes but everything in your post seems related to libvirt. Which one are you using? Are you using the Flatpak version of GNOME Boxes? Have you overlayed libvirt on the host in Silverblue?

On bridge interfaces created by libvirt, the X.Y.Z.1 IP is given to the host. As you used later, 192.168.122.20 is probably your VM IP.

Note that with recent versions of libvirt and firewalld, the nftables backend is used instead of iptables for netfilter rules management.