On Thu, Mar 27, 2008 at 03:35:54PM -0500, Charles Duffy wrote: > Daniel P. Berrange wrote: > >Instead of having the separate ACCEPT rule I think it would be sufficient > >to replace the 0.0.0.0/0 target with ! 192.168.65.0/24, eg > > > >iptables -t nat -A POSTROUTING > > --source 192.168.65.0/24 > > --destination ! 192.168.65.0/24 > > -j MASQUERADE > > > >so it will masquerade traffic which is leaving the ip range of the virtual > >network only, and leave ip traffic between the VMs & VM<->host alone. > > I considered that -- but while it will work as long as the default > forward rule is ACCEPT, it could result in hosts being unable to > communicate with each other if the default rule for the table is otherwise. The default rule shouldn't come into play, because we add explicit rules to allow direct guest<->guest and guest<->host traffic already 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 Regards, Dan. -- |: Red Hat, Engineering, Boston -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list