(sorry, Daniel... I had only answered you instead of copying the list also) Daniel P. Berrange escribió el 01/04/09 09:41: > On Tue, Mar 31, 2009 at 04:08:24PM -0300, Mariano Absatz wrote: > >> At first I used the 'default' network (with a different rfc1918 >> network)... everything was kinda working until I rebooted the host... at >> that point I lost connectivity between the outside world and the VMs. >> From inside the host I had no trouble connecting to the VMs. >> >> If I restarted shorewall (which actually cleans all iptables rules and >> regenerate them according to its configuration) everything works fine. >> After sending a report and some debugging in the shorewall mailing list, >> it was clear that libvirt was adding rules to iptables. >> > > Yes, the libvirt virtual network capability adds iptables to control > traffic to/from the virtual network. > > >> After reading a bit >> (http://libvirt.org/formatnetwork.html#examplesPrivate) I created a new >> network called "isolated". I stopped default (and disabled its >> autostart), and defined and started isolated. >> >> This is the content of isolated.xml: >> <network> >> <name>isolated</name> >> <uuid>51cffbcc-88f5-4edc-a81c-1765c1045691</uuid> >> <bridge name='virbr%d' stp='on' forwardDelay='0' /> >> <ip address='10.3.14.1' netmask='255.255.255.0'> >> <dhcp> >> <range start='10.3.14.128' end='10.3.14.254' /> >> </dhcp> >> </ip> >> </network> >> >> I modified my VMs to use isolated rather than default, but rules keep >> being added to iptables when libvirt-bin is started. >> >> Is there a way to convince libvirt not to add these rules? >> > > No, libvirt needs to add the rules here because otherwise the guest > virtual network would not be guarenteed to be isolated from the host > network. > > If this is a problem, then the best bet is to not use the virtual > network capability. Instead create a bridge device yourself using > distro network scripts, and do whatever routing/firewalling setup > you need for shorwall to work > > Daniel > I see.. so I can't just ask libvirt to create the bridge for me and not touch iptables rules... I chose "isolated" just hoping that would be the way of preventing the addition of iptables rules... The problem at this time is that, other than the rules I see libvirt adds are conflicting with my rules (since they are inserted at the top of INPUT and FORWARD before mine): Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> udp dpt:53 0 0 ACCEPT tcp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:53 0 0 ACCEPT udp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> udp dpt:67 0 0 ACCEPT tcp -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> tcp dpt:67 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination - 0 0 ACCEPT all -- vnet0 vnet0 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> - 0 0 REJECT all -- * vnet0 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> reject-with icmp-port-unreachable - 0 0 REJECT all -- vnet0 * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> reject-with icmp-port-unreachable Well... for the time being, I think I'll add a "shorewall restart" at the end of rc.local which will kill these rules and leave only the ones that shorewall generates... -- Mariano Absatz - "El Baby" el.baby@xxxxxxxxx www.clueless.com.ar -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Light travels faster than sound. This is why some people appear bright until you hear them speak. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- * TagZilla 0.066 * http://tagzilla.mozdev.org -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list