Hi, I'm using libvirt to manage some VMs on a CentOS host, and I need some custom iptables rules to always be in place for some communications to happen, e.g. between the VMs and the outside world in both directions. Some of these rules need to be at the top of the iptables chain, otherwise the default rules added by libvirt would block the communications I need. So I cannot just add the rules in /etc/sysconfig/iptables, because libvirt adds its own rules _before_ the rules contained in this config file. I was looking at filters, but maybe not every rule can be made into a filter? Specifically, I need a rule for the POSTROUTING chain in the "nat" table. Can it be added through filters? Also, regarding the "iptables restart problem" described in the last paragraph at <http://libvirt.org/firewall.html>, is there really no acceptable way to make libvirt add its rules back automatically upon iptables/network restart? Thanks for any info. Marco -- 01
Laine Stump
2014-Jan-08 15:17 UTC
Re: [libvirt-users] Best practice for custom iptables rules
On 01/08/2014 01:43 PM, ZeroUno wrote:> Hi, > I'm using libvirt to manage some VMs on a CentOS host, and I need some > custom iptables rules to always be in place for some communications to > happen, e.g. between the VMs and the outside world in both directions. > > Some of these rules need to be at the top of the iptables chain, > otherwise the default rules added by libvirt would block the > communications I need. > So I cannot just add the rules in /etc/sysconfig/iptables, because > libvirt adds its own rules _before_ the rules contained in this config > file. > > I was looking at filters, but maybe not every rule can be made into a > filter? > Specifically, I need a rule for the POSTROUTING chain in the "nat" > table. Can it be added through filters?Correct. nwfilter can't add rules to the nat table.> > Also, regarding the "iptables restart problem" described in the last > paragraph at <http://libvirt.org/firewall.html>, is there really no > acceptable way to make libvirt add its rules back automatically upon > iptables/network restart?Take a look at this, it may help you: http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections (Recently libvirt gained the ability for an application to register functions that will be called when a network is defined/undefined/started/stopped, but using that would require an application to be running which registered the necessary callback functions; not nearly as simple as stuffing a shell script into /etc/libvirt/hooks (should we do that? Or are the shell script hooks considered passe with the advent of event callbacks?))
Il 08/01/14 16:17, Laine Stump ha scritto:> On 01/08/2014 01:43 PM, ZeroUno wrote: >> Also, regarding the "iptables restart problem" described in the last >> paragraph at <http://libvirt.org/firewall.html>, is there really no >> acceptable way to make libvirt add its rules back automatically upon >> iptables/network restart? > > Take a look at this, it may help you: > > http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_ConnectionsUhm, apart from the fact that the page clearly states this is a "hack", so it's far from being a best practice (although surely easy and interesting!), AFAICT this might help with adding rules to the NAT table, which was the first part of my question, but does not help with the network restart issue because hook scripts are only called upon libvirt events: libvirt daemon start/stop, guest start/stop... Did I understand correctly?> (Recently libvirt gained the ability for an application to register > functions that will be called when a network is > defined/undefined/started/stopped, but using that would require an > application to be running which registered the necessary callback > functions; not nearly as simple as stuffing a shell script intoIndeed, looks like this would be overkill for my needs. Thank you! -- 01