Re: Confused about bridging, firewall (iptables), and DHCP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tony Nelson wrote:
> At 1:26 PM -0500 3/13/07, Mikkel L. Ellertson wrote:
> 
>> You would then create what ever firewall rules you with on
>> your virtual machine using the tap0 interface, just like you would
>> using eth0 if it were a stand-alone machine. You may have to add
>> rules to set the defaults on eth0 to accept in order to purge the
>> old rules.
> 
> Actually, I don't think I'd need any rules at all for the VM, as it should
> be able to do its own firewalling -- and it does, I'm fighting with it now
> (and winning!).
> 
Yes, the VM should have firewall rules based on what it calles tap0.
But you need to make sure that the rule for eth0 on the real machine
accept all packets. If you are bringing up iptables before you are
creating the bridge, then it probably has rules and/or policies for
eth0. It is also possible to add rules for individual interfaces
that make up the bridge, but in this case, you will probably want
the bridge interfaces to accept everything.
> 
>> One thing you could try after the bridge is up is to run "service
>> iptables restart". This might reset the firewall rules to use br0
>> instead of eth0.
> 
> FWIW, I have been doing "iptables --flush" and later "iptables-restore",
> and that doesn't unfilter the tap.  I think, since the output of "iptables
> -vL" says "any" for the interface, that I'd have to make more specific
> rules.  Maybe I'm starting to understand it.

Keep in mind that running "iptables --flush" does not change the
default policy - it just deletes the (user defined) rules. Running
"service iptables stop" will also reset the default policies.

I am not sure, but I suspect that the rules in
/etc/sysconfig/iptables get evaluated differently if the bridge is up.

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux