Why does port Forwarding not open my port

i am struggling with port forwarding and virtualization, i have come quite far and could open and forward a port (9867) to my vm after this tutorial: https ://aboullaite.me/kvm-qemo-forward-ports-with-iptables/

here my iptables:

[email protected] ~/.ssh # iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 4445 packets, 245K bytes)
 pkts bytes target     prot opt in     out     source               destination
    5   220 DNAT       tcp  --  *      *              tcp dpt:9888 to:
    9   452 DNAT       tcp  --  *      *              tcp dpt:9867 to:

Chain INPUT (policy ACCEPT 4377 packets, 237K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 35 packets, 2529 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 41 packets, 2793 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *
    0     0 RETURN     all  --  *      *
   34  1768 MASQUERADE  tcp  --  *      *    !     masq ports: 1024-65535
   85  5512 MASQUERADE  udp  --  *      *    !     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *    !
    0     0 MASQUERADE  all  --  *      *
   13  1608 MASQUERADE  all  --  *      *
    0     0 MASQUERADE  all  --  *      *

with the port 9867 it works great, here my nmap output:

[email protected]:~# nmap <my Server> -p 9867
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-16 12:58 EDT
Nmap scan report for <my Server> (<my Server IP>)
Host is up (0.020s latency).
rDNS record for <my Server IP>: static.<my Server IP>.clients.your-server.de

9867/tcp open  unknown

but my port 9888 is closed:

9888/tcp closed cyborg-systems

can anyone tell me why it’s not open? I followed the instructions above for both.

I would be very happy about an answer… :slight_smile:

btw. can you tell me, how i can tag my question?

Do you have a service actually accepting connections on

i’m not 100% sure which ports are used… So is it so that a port is only recognized as open if the firewall lets it through and if a service listens?

Correct: If there is no service to accept the tcp connection, nmap will report the state of the service as “closed.”

Also keep in mind, the PREROUTING table of the nat chain is called before the FORWARD table of the filter chain.

Meaning by the time the FORWARD table is hit, the traffic originally destined for port 9888 is now destined for so you need a rule that ACCEPTS the traffic destined for port 2302.

You didn’t post anything from your filter table, so you either blanket ACCEPT all forward traffic, or you correctly accept the ssh traffic but not the port 2302 traffic.

thanks for your replies, i checked my windows vm to see which ports are used. I noticed that my server uses even more ports. After I forwarded the ports, everything works.

I have above everything from the output iptables -t nat -L -n -v gepostet, also now my input tables are empty, but ssh to the server and the connections to the vm´s work fine.

I can mark my mail as solved somewhere.