On Thu, Oct 8, 2009 at 3:32 PM, Pavel Lisy <pali@xxxxxxxx> wrote: > Hello > > I've started playing with libvirt and I have question? > > What is proper way to make guest accessible from net. > > I have mode=nat /var/lib/libvirt/network/default.xml. > > libvirtd makes this rules in FORWARD chain > > -A FORWARD -d 192.168.231.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -s 192.168.231.0/24 -i virbr0 -j ACCEPT > -A FORWARD -i virbr0 -o virbr0 -j ACCEPT > -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > > If I add > iptables -I FORWARD -i eth0 -o virbr0 -j ACCEPT > guests are accessible > > My question is: > Is is possible write this somewhere to configuration? > > I've tried to put it in /etc/sysconfig/iptables but it libvirtd put his > rules before mine. > > > I've found two directories > /var/lib/libvirt/iptables/filter > /var/lib/libvirt/iptables/nat I was hoping someone with more experience would help you on this issue. It is better to write your own rules than messing with these files (/var/lib/libvirt). The default network mode of libvirt is a private network behind NAT. The guests are provided an IP address via DHCP. If you want a guest to be accessible from the Internet then you will have to configure static IP in your guest, ensure that you give an IP in the 192.168.231.0/24 range. Then you will have to set up DNAT iptable rules. AFAIK, to prevent libvirt from overriding your rules, you should be using "-I" (INSERT) instead of "-A" (APPEND). Put your rules in the file /etc/sysconfig/iptables This is the theory. I *do not* use libvirt. I use VDE for my networking with command line KVM. HTH, Didar -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
