Omer Aldemir
2016-Dec-22 14:48 UTC
[libvirt-users] Default firewall rules and forwarding to a guest
Hello, I am trying to understand how libvirt firewall rules are loaded as I have firewalld and iptables services are disabled. Where is the configuration files for firewall and NAT rules for libvirt? How can I load default firewall rules if I mess things up Also I have realized that followings is default ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED but If I am to forward a port for a real IP to internal guest machine I need ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state NEW,RELATED,ESTABLISHED (NEW state is required) and also of course a forwarding rule iptables -t nat -I PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.122.16:3389 Is there a place I can make this rules static with LibVirt (not playing with firewalld and/or iptables service for Centos 7) Regards.
Laine Stump
2017-Jan-03 22:06 UTC
[libvirt-users] Default firewall rules and forwarding to a guest
On 12/22/2016 09:48 AM, Omer Aldemir wrote:> > Hello, > > > I am trying to understand how libvirt firewall rules are loaded as I > have firewalld and iptables services are disabled. >libvirt will add its iptables rules via firewalld if firewalld is enabled and running, otherwise it executes iptables commands directly. w> > > Where is the configuration files for firewall and NAT rules for libvirt? >There are no configuration files for the iptables rules that libvirt adds. The simple set of rules that is added is fixed for each type of libvirt network - NAT, routed, and isolated. Here is a description of exactly what is added for each of these types of network: https://libvirt.org/firewall.html (actually I just realized that I forgot to add information there about a new network forwarding type I recently added - "open", which doesn't add *any* iptables rules - this is intended for those who want to do their own iptables setup for libvirt networks, outside of libvirt.)> How can I load default firewall rules if I mess things up >To reload all the iptables rules for all active libvirt networks, just restart the libvirtd service.> > Also I have realized that followings is default > > > ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 ctstate > RELATED,ESTABLISHED > > > but If I am to forward a port for a real IP to internal guest > machine I need > > > ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state > NEW,RELATED,ESTABLISHED > > > (NEW state is required) and also of course a forwarding rule > > > iptables -t nat -I PREROUTING -p tcp --dport 3389 -j DNAT > --to-destination 192.168.122.16:3389 > > > Is there a place I can make this rules static with LibVirt (not > playing with firewalld and/or iptables service for Centos 7) >The best that can be done with current libvirt is to create a "hook" script similar to the one described here: https://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections (That worked the last time I tried it, but that was at least 3 years ago. The python script available as a link from that page is newer and promises to be easier to understand (maybe)) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20170103/34304bbd/attachment.htm>
Omer Aldemir
2017-Jan-03 23:44 UTC
Re: [libvirt-users] Default firewall rules and forwarding to a guest
Thanks for the answers i think open network type is not available yet on the version that comes with rhel7 On 3 Jan 2017, at 22:06, Laine Stump <laine@laine.org<mailto:laine@laine.org>> wrote: On 12/22/2016 09:48 AM, Omer Aldemir wrote: Hello, I am trying to understand how libvirt firewall rules are loaded as I have firewalld and iptables services are disabled. libvirt will add its iptables rules via firewalld if firewalld is enabled and running, otherwise it executes iptables commands directly. w Where is the configuration files for firewall and NAT rules for libvirt? There are no configuration files for the iptables rules that libvirt adds. The simple set of rules that is added is fixed for each type of libvirt network - NAT, routed, and isolated. Here is a description of exactly what is added for each of these types of network: https://libvirt.org/firewall.html (actually I just realized that I forgot to add information there about a new network forwarding type I recently added - "open", which doesn't add *any* iptables rules - this is intended for those who want to do their own iptables setup for libvirt networks, outside of libvirt.) How can I load default firewall rules if I mess things up To reload all the iptables rules for all active libvirt networks, just restart the libvirtd service. Also I have realized that followings is default ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED but If I am to forward a port for a real IP to internal guest machine I need ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state NEW,RELATED,ESTABLISHED (NEW state is required) and also of course a forwarding rule iptables -t nat -I PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.122.16:3389 Is there a place I can make this rules static with LibVirt (not playing with firewalld and/or iptables service for Centos 7) The best that can be done with current libvirt is to create a "hook" script similar to the one described here: https://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections (That worked the last time I tried it, but that was at least 3 years ago. The python script available as a link from that page is newer and promises to be easier to understand (maybe))
Possibly Parallel Threads
- Default firewall rules and forwarding to a guest
- Re: Best practice for custom iptables rules
- guest A from virbr0 can talk to guest B in virbr1 but not vice versa
- Re: guest A from virbr0 can talk to guest B in virbr1 but not vice versa
- Re: Best practice for custom iptables rules