similar to: Best practice for custom iptables rules

Il 08/01/14 16:17, Laine Stump ha scritto: > On 01/08/2014 01:43 PM, ZeroUno wrote: >> Also, regarding the "iptables restart problem" described in the last >> paragraph at <http://libvirt.org/firewall.html>, is there really no >> acceptable way to make libvirt add its rules back automatically upon >> iptables/network restart? > > Take a look at

On 01/08/2014 01:43 PM, ZeroUno wrote: > Hi, > I'm using libvirt to manage some VMs on a CentOS host, and I need some > custom iptables rules to always be in place for some communications to > happen, e.g. between the VMs and the outside world in both directions. > > Some of these rules need to be at the top of the iptables chain, > otherwise the default rules added by

On 01/09/2014 12:38 PM, ZeroUno wrote: > Il 08/01/14 16:17, Laine Stump ha scritto: > >> On 01/08/2014 01:43 PM, ZeroUno wrote: >>> Also, regarding the "iptables restart problem" described in the last >>> paragraph at <http://libvirt.org/firewall.html>, is there really no >>> acceptable way to make libvirt add its rules back automatically upon

Il 09/01/14 11:38, ZeroUno ha scritto: > Il 08/01/14 16:17, Laine Stump ha scritto: >> http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections > > interesting!), AFAICT this might help with adding rules to the NAT > table, which was the first part of my question, but does not help with ...also, it appears that the hook script /etc/libvirt/hooks/daemon to be

Il 09/01/14 13:40, Laine Stump ha scritto: > you asked for "best", not "ideal" :-) Aside from eliminating all use of ;) > solve by itself. But that same paragraph also tells you how to have the > iptables service signal libvirt to reload its iptables rules. Sorry, what do you mean? I'm not able to find such an indication in that page... -- 01

On 01/10/2014 06:02 PM, ZeroUno wrote: > Il 09/01/14 13:40, Laine Stump ha scritto: > >> you asked for "best", not "ideal" :-) Aside from eliminating all use of > > ;) > >> solve by itself. But that same paragraph also tells you how to have the >> iptables service signal libvirt to reload its iptables rules. > > Sorry, what do you mean?

> ...also, it appears that the hook script /etc/libvirt/hooks/daemon to be > called when the libvirt daemon is started is actually called _before_ > libvirt adds its own iptables rules, because I am not able to insert my > custom rule at the top of the chain. > how about this daemon hook script? #!/bin/bash # insert_rule() { sleep 2 iptables -t nat -D CUSTOM_RULE

Il 13/01/14 04:06, Gao Yongwei ha scritto: > how about this daemon hook script? > > #!/bin/bash > # > insert_rule() { > sleep 2 > iptables -t nat -D CUSTOM_RULE > iptables -t nat -I CUSTOM_RULE > } [...] Thanks, I already tried inserting a delay with "sleep" but it didn't change anything, as the hook script is not processed in parallel

> Thanks, I already tried inserting a delay with "sleep" but it didn't > change anything, as the hook script is not processed in parallel with other > operations: libvirt waits until the hook script has been completed, before > proceeding with the creation of its own iptables rules. plz take a closer look at my script, and have a real try with it.

I have some questions regarding the way that networking is handled via qemu/kvm+libvirt -- my apologies in advance if this is not the proper mailing list for such a question. I am trying to determine how exactly I can manipulate traffic from a _guest's_ NIC using iptables on the _host_. On the host, there is a bridged virtual NIC that corresponds to the guest's NIC. That interface

Il 05/02/16 14:41, Helmut Hullen ha scritto: >> is: if a client is upgraded to Windows 10, will it still work with >> that old Samba version? > > May be - Samba 3.6 does the job. Hi, you mean that 3.2 will not talk to Windows 10, no way? Unfortunately the latest Samba version for Debian Lenny is 3.2.15 AFAIK. -- 01

On 01/11/2016 3:05 pm, Laine Stump wrote: > On 01/11/2016 02:25 PM, Andre Goree wrote: >> >> I have some questions regarding the way that networking is handled via >> qemu/kvm+libvirt -- my apologies in advance if this is not the proper >> mailing list for such a question. >> >> >> I am trying to determine how exactly I can manipulate traffic from

Hello All- I've looked in several places and haven't found an answer to this question: is it possible to have libvirt add custom rules to iptables for virtual network interfaces? I took a look at the "Firewall and Network Filtering in Libvirt" page and it seems overly complicated for what I want to do. Given an interface virbr2 and its network 192.168.4.0/24, libvirt installs

Nakta wrote: > libvirts nwfilter module can achieve that. I read over those resources and I did what I thought would be correct, but it's not having any effect. I created a new nwfilter like this: <filter name='allow-virbr2-vpn' chain='ipv4' priority='-700'> <rule action='accept' direction='in' priority='500'> <all

Hello, I am trying to understand how libvirt firewall rules are loaded as I have firewalld and iptables services are disabled. Where is the configuration files for firewall and NAT rules for libvirt? How can I load default firewall rules if I mess things up Also I have realized that followings is default ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 ctstate

On 06/29/2016 03:00 AM, Leon Vergottini wrote: > #!/bin/bash > > # RESET CURRENT RULE BASE > iptables -F > service iptables save Why would you save the existing rule set? This script throws it away later, when it runs save again. > # MOST COMMON ATTACKS > iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j

On Wed, 2016-06-29 at 10:49 -0700, Gordon Messmer wrote: > On 06/29/2016 03:00 AM, Leon Vergottini wrote: > > #!/bin/bash > > > > # RESET CURRENT RULE BASE > > iptables -F > > service iptables save > Why would you save the existing rule set? This script throws it away > later, when it runs save again. He flushes all the tables, then saves an empty

On 29.06.2016 12:00, Leon Vergottini wrote: > Dear Members > > I hope you are all doing well. > > I am busy teaching myself iptables and was wondering if I may get some > advise. The scenario is the following: > > > 1. Default policy is to block all traffic > 2. Allow web traffic and SSH > 3. Allow other applications > > I have come up with the

On 30/06/16 23:19, Mike wrote: > Ned, > > Thank you very much for the response. > Great example following through on the premise. > It sounds like I need to have a better understanding of the traffic > patterns on my network to know the optimal order for iptables > filtering rules. > Try running: iptables -nv -L which will show you in the left hand column a counter for

On 30/06/16 18:49, Mike wrote: > On Wed, Jun 29, 2016 at 1:49 PM, Gordon Messmer > <gordon.messmer at gmail.com> wrote: >> >> By putting these rules first, before the "ESTABLISHED,RELATED" rule, you're >> applying additional processing (CPU time) to the vast majority of your >> packets for no reason. The "E,R" rule should be first. It