Getting nwfilter to work on Debian Wheezy

Sven Schwedas <sven.schwedas@xxxxxx> · Mon, 08 Jul 2013 16:59:57 +0200

Hi,

I'm trying to configure nwfilter for KVM, but so far I haven't managed
to figure out a working configuration.

Network setup: The dom0 (Debian 7.1, kernel 3.2.46-1, libvirt 0.9.12) is
connected via eth0, part of the external subnet 192.168.17.0/24, and has
an additional subnet 192.168.128.160/28 routed to its main address
192.168.17.125.

The host's subnet is configured as bridge in virsh:
> <network>
>   <name>foo</name>
>   <forward dev='eth0' mode='route'>
>     <interface dev='eth0'/>
>   </forward>
>   <bridge name='foo-br0' stp='off' delay='0' />
>   <ip address='192.168.128.161' netmask='255.255.255.240'>
>   </ip>
> </network>

The domU is configured to use this bridge (static IP configured in DomU):

> <interface type='network'>
>   <source network='foo'/>
>   <target dev='vnet0'/>
>   <model type='virtio'/>
>   <filterref filter='test-eth0'>
>     <parameter name='CTRL_IP_LEARNING' value='none'/>
>     <parameter name='IP' value='192.168.128.162'/>
>   </filterref>
>   <alias name='net0'/>
>   <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
> </interface>

With an empty filter, connectivity is working fine. Now, if I add the
example ruleset suggested in the documentation (
http://libvirt.org/formatnwfilter.html#nwfwriteexample ), *incoming*
ICMP works (but not outgoing), and inbound SSH traffic is blocked,
together with outbound DNS.

The linked rules produce the following iptables chains:

> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         
> libvirt-host-in  all  --  0.0.0.0/0            0.0.0.0/0           
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
> libvirt-in  all  --  0.0.0.0/0            0.0.0.0/0           
> libvirt-out  all  --  0.0.0.0/0            0.0.0.0/0           
> libvirt-in-post  all  --  0.0.0.0/0            0.0.0.0/0           
> ACCEPT     all  --  0.0.0.0/0            192.168.128.160/28  
> ACCEPT     all  --  192.168.128.160/28   0.0.0.0/0           
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
> REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain FI-vnet0 (1 references)
> target     prot opt source               destination         
> RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED ctdir ORIGINAL
> RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:80 state ESTABLISHED ctdir ORIGINAL
> RETURN     icmp --  0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED ctdir REPLY
> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 state NEW,ESTABLISHED ctdir REPLY
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           
> 
> Chain FO-vnet0 (1 references)
> target     prot opt source               destination         
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED ctdir REPLY
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW,ESTABLISHED ctdir REPLY
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            state ESTABLISHED ctdir ORIGINAL
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53 state ESTABLISHED ctdir ORIGINAL
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           
> 
> Chain HI-vnet0 (1 references)
> target     prot opt source               destination         
> RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:22 state ESTABLISHED ctdir ORIGINAL
> RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:80 state ESTABLISHED ctdir ORIGINAL
> RETURN     icmp --  0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED ctdir REPLY
> RETURN     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 state NEW,ESTABLISHED ctdir REPLY
> DROP       all  --  0.0.0.0/0            0.0.0.0/0           
> 
> Chain libvirt-host-in (1 references)
> target     prot opt source               destination         
> HI-vnet0   all  --  0.0.0.0/0            0.0.0.0/0           [goto]  PHYSDEV match --physdev-in vnet0
> 
> Chain libvirt-in (1 references)
> target     prot opt source               destination         
> FI-vnet0   all  --  0.0.0.0/0            0.0.0.0/0           [goto]  PHYSDEV match --physdev-in vnet0
> 
> Chain libvirt-in-post (1 references)
> target     prot opt source               destination         
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in vnet0
> 
> Chain libvirt-out (1 references)
> target     prot opt source               destination         
> FO-vnet0   all  --  0.0.0.0/0            0.0.0.0/0           [goto]  PHYSDEV match --physdev-out vnet0

I've tried fidgeting with the configuration (direction inout instead of
in/out, etc.), but I didn't find a setup that works as intended. What am
I missing?
-- 
Mit freundlichen Grüßen, / Best Regards,
Sven SCHWEDAS
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas@xxxxxx | +43 (0)680 301 7167
http://software.tao.at

Attachment:
signature.asc

Description: OpenPGP digital signature
_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users