thr3ads.net - libvirt users - [libvirt-users] Problems with nwfilters/iptables [Mar 2012]

If this information is useful, please help other people find it:
Share via:

Nicolai Stange

2012-Mar-29 07:47 UTC

[libvirt-users] Problems with nwfilters/iptables

Hi all,

I've got a problem with nwfilters/iptables. For one of my guest's
interfaces, I have established the following filter:
--8<---------------cut here---------------start------------->8---
<filter name='p-mgmt' chain='root'>
  <uuid>94fdd15b-b380-ba8c-6685-91206829adc7</uuid>
  <filterref filter='clean-traffic'/>
  <rule action='accept' direction='in'
priority='500'>
    <tcp dstportstart='22'/>
  </rule>
  <rule action='drop' direction='inout'
priority='1000'>
    <all/>
  </rule>
</filter>
</filter>--8<---------------cut
here---------------end--------------->8---
The intent is to allow incoming ssh only.

However, ssh from my host to my guest does not work. This is the
relevant iptables excerpt with the filter given as above:
--8<---------------cut here---------------start------------->8---
root:~# iptables -L HI-vnet5
Chain HI-vnet5 (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp spt:ssh state
ESTABLISHED ctdir ORIGINAL
DROP       all  --  anywhere             anywhere 
root:~# 
--8<---------------cut here---------------end--------------->8---

The chain relations are: INPUT -> libvirt-host-in -> HI-vnet5.

The interesting thing is: If I insert the same rule again, but with
ctdir reversed, everything works just fine:
--8<---------------cut here---------------start------------->8---
root:~# iptables -I HI-vnet5 1 -p tcp --sport 22 -m state --state ESTABLISHED -m
conntrack --ctdir REPLY -j RETURN
root:~# iptables -L HI-vnet5
Chain HI-vnet5 (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp spt:ssh state
ESTABLISHED ctdir REPLY
RETURN     tcp  --  anywhere             anywhere             tcp spt:ssh state
ESTABLISHED ctdir ORIGINAL
DROP       all  --  anywhere             anywhere            
root:~#
--8<---------------cut here---------------end--------------->8---

I am not an iptables expert, but if my guest's ssh daemon replies to my
host's requests (and thus the packets are traversing my host's INPUT
chain), I would guess that the direction is "REPLY" rather than
"ORIGINAL".

I'm really stuck with this and it would be really great if someone could
clarify things to me!

I'm running Ubuntu 12.04 (kernel 3.2.0-20-generic) coming with libvirt
0.9.8-2ubuntu1.

Best,

Nicolai

Reasonably Related Threads

Search for more reasonably related threads

libvirt users - Mar 2012 - Problems with nwfilters/iptables

[libvirt-users] Problems with nwfilters/iptables

Reasonably Related Threads

Wisdom of the Ancients