Hello All: I'll ask this in the virt list later if this is not the appropriate forum... Yesterday I was troubleshooting an issue with a KVM host. I was unable to access the DNS service on a KVM virtual machine. After verifying that the vm allowed through the DNS ports (53 on UDP/TCP) and still being unable to access, I was able to connect immediately after allowing those ports on the KVM host. Is there anyway around this? The reason is that I would like to allow only SSH access to the host, but allow other services to the virtual machines. I am running CentOS 5.5 on both hosts and vm. Thanks, Kwan
On 19/01/11 11:21, Kwan Lowe wrote:> Hello All: > I'll ask this in the virt list later if this is not the appropriate forum... > > Yesterday I was troubleshooting an issue with a KVM host. I was > unable to access the DNS service on a KVM virtual machine.>From where? Another VM, the host or from outside the host?
On 01/18/2011 02:21 PM, Kwan Lowe wrote:> > Yesterday I was troubleshooting an issue with a KVM host. I was > unable to access the DNS service on a KVM virtual machine. After > verifying that the vm allowed through the DNS ports (53 on UDP/TCP) > and still being unable to access, I was able to connect immediately > after allowing those ports on the KVM host. Is there anyway around > this? The reason is that I would like to allow only SSH access to the > host, but allow other services to the virtual machines.http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Virtualization/sect-Virtualization-Network_Configuration-Bridged_networking_with_libvirt.html If you have your networking set up as Red Hat advises, the host's firewall will not affect guests. Those systems will be responsible for their own firewalling.
On Tue, 2011-01-18 at 17:21 -0500, Kwan Lowe wrote:> Yesterday I was troubleshooting an issue with a KVM host. I was > unable to access the DNS service on a KVM virtual machine. After > verifying that the vm allowed through the DNS ports (53 on UDP/TCP) > and still being unable to access, I was able to connect immediately > after allowing those ports on the KVM host. Is there anyway around > this? The reason is that I would like to allow only SSH access to the > host, but allow other services to the virtual machines.I just disable iptables on the host. Maybe that's not the best solution for your particular situation, but in mine, it works fine. I use tcp wrappers to allow ssh access to only those I deem worthy, and we have external firewalls in place as well (I lock down our boxes in other ways, as well). I haven't seen the need to put in a host based firewall...yet, anyway. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.32.26-175.fc12.x86_64 x86_64 GNU/Linux 15:39:12 up 9 days, 21:23, 3 users, load average: 0.03, 0.07, 0.02