Hi,
On RHEL 5.5, I set up iptables rules for forwarding ports to some of my
virtual machines. For example.
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3380 -j DNAT
--to-destination 192.168.123.2:3389
iptables -I FORWARD -d 192.168.123.2 -i eth0 -p tcp -m tcp --dport 3389
-m state --state NEW -j ACCEPT
These worked fine, and I saved them with 'service iptables save'.
However, upon rebooting the server the forwarding no longer works. When
I inspect the configuration with 'iptables -L', I see that the rules
libvirt creates were inserted before the rules from
/etc/sysconfig/iptables. Since the rules from libvirt include one that
rejects any new connections, the data I want forwarded is dropped. For
example,
target prot opt in out source destination
ACCEPT all -- any virbr1 anywhere 192.168.123.0/24 state
RELATED,ESTABLISHED
ACCEPT all -- virbr1 any 192.168.123.0/24 anywhere
ACCEPT all -- virbr1 virbr1 anywhere anywhere
REJECT all -- any virbr1 anywhere anywhere reject-with
icmp-port-unreachable
REJECT all -- virbr1 any anywhere anywhere reject-with
icmp-port-unreachable
ACCEPT tcp -- eth0 any anywhere 192.168.123.2 tcp
dpt:ms-wbt-server state NEW
How should I configure iptables so that my rules and libvirt's play
nicely? Basically I need my ACCEPTs to end up before libvirt's REJECTs.
I looked through the list archives and libvirt documentation but did not
see an answer to this question.
--
Brian Pitts
Systems Administrator | EuPathDB Bioinformatics Resource Center
706-542-1447 | bdp at uga.edu | http://eupathdb.org
