Re: [PATCH] Re: iptables masquerade rule overexpansive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Mar 27, 2008 at 03:35:54PM -0500, Charles Duffy wrote:
> Daniel P. Berrange wrote:
> >Instead of having the separate ACCEPT rule I think it would be sufficient
> >to replace  the 0.0.0.0/0 target with  ! 192.168.65.0/24, eg
> >
> >iptables -t nat -A POSTROUTING
> >                --source 192.168.65.0/24 
> >                --destination ! 192.168.65.0/24
> >                -j MASQUERADE
> >
> >so it will masquerade traffic which is leaving the ip range of the virtual
> >network only, and leave ip traffic between the VMs & VM<->host alone.
> 
> I considered that -- but while it will work as long as the default 
> forward rule is ACCEPT, it could result in hosts being unable to 
> communicate with each other if the default rule for the table is otherwise.

The default rule shouldn't come into play, because we add explicit rules
to allow direct guest<->guest  and guest<->host traffic already

    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24    state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           

Regards,
Dan.
-- 
|: Red Hat, Engineering, Boston   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]