For those using iptables and would like to configure iptables allow http and RDP access to the Guest VMs. Here are the steps to configure and explanation of the rules.
1. Configure the iptables use the nat table to route the mapped port to the guest VM IP address and port.
sudo iptables -t nat -A PREROUTING -p tcp –dport 3389 -j DNAT –to-destination 192.168.122.202:3389
2. Configure the filter table and forward chain to allow the traffic to the target guest VM.
(Do note that the default LIBVIRT_FWI CHAIN does not allow new connection to the guest VM behind the NAT interface) So you either add the forward accept rules in the LIBVIRT_FWI or make sure that the FILTER TABLE FORWARD CHAIN rules is before the LIBVIRT_FWI CHAIN.
To configure the rule inside the LIBVIRT_FWI CHAIN
# To configure the rule in the FILTER TABLE – LIBVIRT_FWI CHAIN
sudo iptables -I LIBVIRT_FWI 1 -d 192.168.122.202 -p tcp -m tcp –dport 3389 -j ACCEPT
# or
# To configure rule in the default FILTER TABLE – FORWARD CHAIN
sudo iptables -I FORWARD 1 -d 192.168.122.202 -p tcp -m tcp –dport 3389 -j ACCEPT
3. If you are using the default NAT (virbr0/virbr1) then a MASQUERADE rules should have bee created to allow the Guest VM to have the IP MASQUERADED through the WAN interface. However if you are creating your own virtual bridge or the rules are not created by default then you can add in the following MASQUERADE command to your NAT TABLE POSTROUTING CHAIN.
# To configure the rule in the NAT TABLE – LIBVIRT_PRT CHAIN you can specify the entire subnet of just the Guest VM ip address.
sudo iptables -t nat -I LIBVIRT_PRT 1 -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
# or
# To configure rule in the default NAT TABLE – POSTROUTING CHAIN you can specify the entire subnet or the just the Guest VM ip address.
sudo iptables -t nat –I POSTROUTING 1 -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE