Chris Lalancette
2008-Aug-11 13:17 UTC
[Ovirt-devel] [PATCH]: Don't reject FORWARD chain on the managed node
Duh. We can't reject everything on the FORWARD chain, since we are
basically
forwarding all packets through from the guests. Remove the rule from the
chain completely; we might be able to do better later, but at least things
work this way.
Signed-off-by: Chris Lalancette <clalance at redhat.com>
diff --git a/ovirt-host-creator/common-post.ks
b/ovirt-host-creator/common-post.ks
index 37e2f43..a91a0c1 100644
--- a/ovirt-host-creator/common-post.ks
+++ b/ovirt-host-creator/common-post.ks
@@ -31,7 +31,6 @@ cat > /etc/sysconfig/iptables << \EOF
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 49152 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
Steve Linabery
2008-Aug-11 14:47 UTC
[Ovirt-devel] [PATCH]: Don't reject FORWARD chain on the managed node
On Mon, Aug 11, 2008 at 03:17:00PM +0200, Chris Lalancette wrote:> Duh. We can't reject everything on the FORWARD chain, since we are basically > forwarding all packets through from the guests. Remove the rule from the > chain completely; we might be able to do better later, but at least things > work this way. > > Signed-off-by: Chris Lalancette <clalance at redhat.com> > > diff --git a/ovirt-host-creator/common-post.ks b/ovirt-host-creator/common-post.ks > index 37e2f43..a91a0c1 100644 > --- a/ovirt-host-creator/common-post.ks > +++ b/ovirt-host-creator/common-post.ks > @@ -31,7 +31,6 @@ cat > /etc/sysconfig/iptables << \EOF > -A INPUT -p tcp --dport 22 -j ACCEPT > -A INPUT -p tcp --dport 49152 -j ACCEPT > -A INPUT -j REJECT --reject-with icmp-host-prohibited > --A FORWARD -j REJECT --reject-with icmp-host-prohibited > COMMIT > EOF > > > _______________________________________________ > Ovirt-devel mailing list > Ovirt-devel at redhat.com > https://www.redhat.com/mailman/listinfo/ovirt-develACK. Not sure what the better solution is, but I agree that we need to let the guests' packets through :)
Mark McLoughlin
2008-Aug-11 14:47 UTC
[Ovirt-devel] [PATCH]: Don't reject FORWARD chain on the managed node
On Mon, 2008-08-11 at 15:17 +0200, Chris Lalancette wrote:> Duh. We can't reject everything on the FORWARD chain, since we are basically > forwarding all packets through from the guests. Remove the rule from the > chain completely; we might be able to do better later, but at least things > work this way. > > Signed-off-by: Chris Lalancette <clalance at redhat.com> > > diff --git a/ovirt-host-creator/common-post.ks b/ovirt-host-creator/common-post.ks > index 37e2f43..a91a0c1 100644 > --- a/ovirt-host-creator/common-post.ks > +++ b/ovirt-host-creator/common-post.ks > @@ -31,7 +31,6 @@ cat > /etc/sysconfig/iptables << \EOF > -A INPUT -p tcp --dport 22 -j ACCEPT > -A INPUT -p tcp --dport 49152 -j ACCEPT > -A INPUT -j REJECT --reject-with icmp-host-prohibited > --A FORWARD -j REJECT --reject-with icmp-host-prohibitedI'd like the default rule in Fedora to be: -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-admin-prohibited see: https://bugzilla.redhat.com/221828 That should work here too. Cheers, Mark.