On Thu, Apr 28, 2011 at 10:41:11AM -0400, Laine Stump wrote: > On 04/28/2011 09:15 AM, Ireneusz Szcześniak wrote: > >I would like to reach the VM on a specific port of the host > >machine. Once the machinces are running, I can configure iptables > >so that the port forwarding works, but after host reboots, other > >rules are inserted (put in front of my rules), which disable my > >rules. I guess these rules are put by libvirt, and so I'm writing > >to this list. > > Yes, these rules are put in by libvirt. > > The iptables rules added by libvirt for virtual networks are > intended to fulfill the needs of 95% of users, but are not > configurable. To do what you want, you'll either need to construct > your own bridge (rather than relying on libvirt) and do all the > iptables and routing config outside of libvirt, or you may be able > to use libvirt execution hooks to add the rules at the appropriate > time. See: http://www.libvirt.org/hooks.html for details on libvirt > hook scripts. > >ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED If all you need to do is change that one rule to "NEW,RELATED,ESTABLISHED" iptables has an option to replace a rule. Sorry I don't have the syntax at my fingertips, but it should be simple enough to modify the rule on system startup after libvirt has built the initial ruleset, perhaps in rc.local. Whit
