Re: Default firewall rules and forwarding to a guest

Laine Stump <laine@xxxxxxxxx> · Tue, 3 Jan 2017 17:06:28 -0500



    On 12/22/2016 09:48 AM, Omer Aldemir
      wrote:

    
        Hello,
        

        I am trying to understand how libvirt firewall rules are
          loaded as I have firewalld and iptables services are disabled.
      
    
    libvirt will add its iptables rules via firewalld if firewalld is
    enabled and running, otherwise it executes iptables commands
    directly.

    
    w

    
        Where is the configuration files for firewall and NAT  rules
          for libvirt?
      
    
    There are no configuration files for the iptables rules that libvirt
    adds. The simple set of rules that is added is fixed for each type
    of libvirt network - NAT, routed, and isolated. Here is a
    description of exactly what is added for each of these types of
    network:

    
       https://libvirt.org/firewall.html

    
    (actually I just realized that I forgot to add information there
    about a new network forwarding type I recently added - "open", which
    doesn't add *any* iptables rules - this is intended for those who
    want to do their own iptables setup for libvirt networks, outside of
    libvirt.)

    
        How can I load default firewall rules if I mess things up
      
    
    To reload all the iptables rules for all active libvirt networks,
    just restart the libvirtd service.

    
        Also I have realized that followings is default 
        

        ACCEPT     all  --  0.0.0.0/0           
            192.168.122.0/24     ctstate RELATED,ESTABLISHED
        

        but If I am to forward a port for a real IP to internal
            guest machine I need
          
        
        ACCEPT     all  --  0.0.0.0/0           
              192.168.122.0/24     state NEW,RELATED,ESTABLISHED
        

        (NEW state is required) and also of course a forwarding
            rule
        

        iptables -t nat -I PREROUTING -p tcp --dport 3389
              -j DNAT --to-destination 192.168.122.16:3389
        

        Is there a place I can make this rules static with
            LibVirt (not playing with firewalld  and/or iptables service
            for Centos 7)
      
    
    The best that can be done with current libvirt is to create a "hook"
    script similar to the one described here:

    
https://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections

    
    (That worked the last time I tried it, but that was at least 3 years
    ago. The python script available as a link from that page is newer
    and promises to be easier to understand (maybe))

  
_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users