Re: libvirtd and public access to guests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, Oct 10, 2009 at 2:26 PM, Didar Hossain <didar.hossain@xxxxxxxxx> wrote:
> On Thu, Oct 8, 2009 at 3:32 PM, Pavel Lisy <pali@xxxxxxxx> wrote:
>> Hello
>>
>> I've started playing with libvirt and I have question?
>>
>> What is proper way to make guest accessible from net.
>>
>> I have mode=nat /var/lib/libvirt/network/default.xml.
>>
>> libvirtd makes this rules in FORWARD chain
>>
>> -A FORWARD -d 192.168.231.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -s 192.168.231.0/24 -i virbr0 -j ACCEPT
>> -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
>> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
>> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>>
>> If I add
>> iptables -I FORWARD -i eth0 -o virbr0 -j ACCEPT
>> guests are accessible
>>
>> My question is:
>> Is is possible write this somewhere to configuration?
>>
>> I've tried to put it in /etc/sysconfig/iptables but it libvirtd put his
>> rules before mine.
>>
>>
>> I've found two directories
>> /var/lib/libvirt/iptables/filter
>> /var/lib/libvirt/iptables/nat
>
> I was hoping someone with more experience would help you on this issue.
>
> It is better to write your own rules than messing with these files
> (/var/lib/libvirt).
>
> The default network mode of libvirt is a private network behind NAT.
> The guests are provided
> an IP address via DHCP. If you want a guest to be accessible from the
> Internet then you will
> have to configure static IP in your guest, ensure that you give an IP
> in the 192.168.231.0/24
> range.
>
> Then you will have to set up DNAT iptable rules. AFAIK, to prevent
> libvirt from overriding your
> rules, you should be using "-I" (INSERT) instead of "-A" (APPEND). Put
> your rules in the file
> /etc/sysconfig/iptables
>
> This is the theory. I *do not* use libvirt. I use VDE for my
> networking with command line KVM.
>
> HTH,
> Didar
>

Forgot to add - you have to "INSERT" the rules in reverse order so
that the correct sequence
of rules are put in place.

Didar

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux