How to forward all network traffic to the MicroVM?

[WeeJeWel]

Is it possible to forward all network traffic to the MicroVM, except if those ports have already been claimed by another process on the host?

For example, a Raspberry Pi listens on TCP:22. A MicroVM starts a webserver at a random port, e.g. 1234.

Visiting raspberrypi.local:1234 should then be forwarded to the MicroVM.
Connecting to raspberrypi.local:22 will connect to the host's SSH server.

I've got port forwarding to work using sudo iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.16.0.2:8080 for port 8080, and now I'd like to 'wildcard' it.

Basically, the same behavior as Docker would have when running a container in host mode.

[WeeJeWel]

Or, maybe the other way around, when a process inside the MicroVM listens on a port, create a forwarding rule, and remove it once the process stops listening.

[cipriancraciun]

I don't think iptables supports a match that says "if something listens on a port", but you could create a prerouting rule that just -j ACCEPT the ports that you know should be handled locally, and then put a rule like your one, but without the port, like for example iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination 172.16.0.2.

(Also, note that locally generated traffic on the host is not affected by prerouting rules, you'll have to duplicate the rules on the OUTPUT chain of the nat table.)

[cipriancraciun]

Quickly looking in the man iptables-extensions there is the socket match that might do what you are searching for, but I haven't used it.