thr3ads.net - libvirt users - [libvirt-users] libvirtd -- iptables [Mar 2011]

If this information is useful, please help other people find it:
Share via:
Kurian Thayil
2011-Mar-18 09:51 UTC
[libvirt-users] libvirtd -- iptables

Hi All,

I created a couple of virtual networks (forward mode=nat) in my
rhel6-kvm box. I've come across 2 weird issues.
1. My Iptables rule chainset contains repeated rules. The same rule gets
repeated block by block
2. For connecting to guest using SSH, I created a custom IPTables chain.
I want this chain to be on top of the FORWARD chain, but everytime the
libvirtd is restarted the rule comes to the bottom of the chain (Appended).

Can anyone suggest me what the solution could be? My IPtable rules are
given below: Let me know if any further info is needed.

[root at santiago Packages]# iptables -L -n -v
Chain INPUT (policy ACCEPT 41 packets, 5818 bytes)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 ACCEPT     udp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:67
    0     0 ACCEPT     udp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:67
    0     0 ACCEPT     udp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:67
    0     0 ACCEPT     udp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:67
    0     0 ACCEPT     udp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:67
    0     0 ACCEPT     udp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:67
    0     0 ACCEPT     udp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:67
    0     0 ACCEPT     udp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:67
    0     0 ACCEPT     udp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:67
    0     0 ACCEPT     udp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:67

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination        
    0     0 ACCEPT     all  --  *      vbr0    0.0.0.0/0           
10.10.0.0/24        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  vbr0   *       10.10.0.0/24        
0.0.0.0/0          
    0     0 ACCEPT     all  --  vbr0   vbr0    0.0.0.0/0           
0.0.0.0/0          
    0     0 REJECT     all  --  *      vbr0    0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      vbr1    0.0.0.0/0           
10.10.1.0/24        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  vbr1   *       10.10.1.0/24        
0.0.0.0/0          
    0     0 ACCEPT     all  --  vbr1   vbr1    0.0.0.0/0           
0.0.0.0/0          
    0     0 REJECT     all  --  *      vbr1    0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
 5688  588K rhel-virt-forward-1  all  --  *      *      
0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     all  --  *      vbr0    0.0.0.0/0           
10.10.0.0/24        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  vbr0   *       10.10.0.0/24        
0.0.0.0/0          
    0     0 ACCEPT     all  --  vbr0   vbr0    0.0.0.0/0           
0.0.0.0/0          
    0     0 REJECT     all  --  *      vbr0    0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      vbr1    0.0.0.0/0           
10.10.1.0/24        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  vbr1   *       10.10.1.0/24        
0.0.0.0/0          
    0     0 ACCEPT     all  --  vbr1   vbr1    0.0.0.0/0           
0.0.0.0/0          
    0     0 REJECT     all  --  *      vbr1    0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      vbr0    0.0.0.0/0           
10.10.0.0/24        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  vbr0   *       10.10.0.0/24        
0.0.0.0/0          
    0     0 ACCEPT     all  --  vbr0   vbr0    0.0.0.0/0           
0.0.0.0/0          
    0     0 REJECT     all  --  *      vbr0    0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      vbr1    0.0.0.0/0           
10.10.1.0/24        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  vbr1   *       10.10.1.0/24        
0.0.0.0/0          
    0     0 ACCEPT     all  --  vbr1   vbr1    0.0.0.0/0           
0.0.0.0/0          
    0     0 REJECT     all  --  *      vbr1    0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      vbr0    0.0.0.0/0           
10.10.0.0/24        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  vbr0   *       10.10.0.0/24        
0.0.0.0/0          
    0     0 ACCEPT     all  --  vbr0   vbr0    0.0.0.0/0           
0.0.0.0/0          
    0     0 REJECT     all  --  *      vbr0    0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      vbr1    0.0.0.0/0           
10.10.1.0/24        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  vbr1   *       10.10.1.0/24        
0.0.0.0/0          
    0     0 ACCEPT     all  --  vbr1   vbr1    0.0.0.0/0           
0.0.0.0/0          
    0     0 REJECT     all  --  *      vbr1    0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      vbr0    0.0.0.0/0           
10.10.0.0/24        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  vbr0   *       10.10.0.0/24        
0.0.0.0/0          
    0     0 ACCEPT     all  --  vbr0   vbr0    0.0.0.0/0           
0.0.0.0/0          
    0     0 REJECT     all  --  *      vbr0    0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  vbr0   *       0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      vbr1    0.0.0.0/0           
10.10.1.0/24        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  vbr1   *       10.10.1.0/24        
0.0.0.0/0          
    0     0 ACCEPT     all  --  vbr1   vbr1    0.0.0.0/0           
0.0.0.0/0          
    0     0 REJECT     all  --  *      vbr1    0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  vbr1   *       0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
0.0.0.0/0           PHYSDEV match --physdev-is-bridged

Chain OUTPUT (policy ACCEPT 38 packets, 4234 bytes)
 pkts bytes target     prot opt in     out     source              
destination        

Chain rhel-virt-forward-1 (1 references)
 pkts bytes target     prot opt in     out     source              
destination        
   25  2100 ACCEPT     icmp --  eth0   vbr1    0.0.0.0/0           
0.0.0.0/0          
 3515  262K ACCEPT     tcp  --  eth0   vbr1    0.0.0.0/0           
0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     icmp --  eth0   vbr0    0.0.0.0/0           
0.0.0.0/0          
    0     0 ACCEPT     tcp  --  eth0   vbr0    0.0.0.0/0           
0.0.0.0/0           tcp dpt:22


**************Details about my virtual network interfaces are given below:

[root at santiago Packages]# virsh net-list --all
Name                 State      Autostart
-----------------------------------------
vir0                 active     yes      
vir1                 active     yes

Thank you in advance.

Regards,
--Kurian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20110318/592140ca/attachment.htm>
Apparently Analagous Threads

Search for more maybe matching threads
libvirt users - Mar 2011 - libvirtd -- iptables

[libvirt-users] libvirtd -- iptables

Apparently Analagous Threads

Wisdom of the Ancients
