On 12/22/2016 09:48 AM, Omer
Aldemir wrote:
Hello,
I am trying to understand how libvirt firewall rules
are loaded as I have firewalld and iptables services are
disabled.
libvirt will add its iptables rules via firewalld if firewalld
is enabled and running, otherwise it executes iptables
commands directly.
w
Where is the configuration files for firewall and NAT
rules for libvirt?
There are no configuration files for the iptables rules that
libvirt adds. The simple set of rules that is added is fixed
for each type of libvirt network - NAT, routed, and isolated.
Here is a description of exactly what is added for each of
these types of network:
https://libvirt.org/firewall.html
(actually I just realized that I forgot to add information
there about a new network forwarding type I recently added -
"open", which doesn't add *any* iptables rules - this is
intended for those who want to do their own iptables setup for
libvirt networks, outside of libvirt.)
How can I load default firewall rules if I mess things
up
To reload all the iptables rules for all active libvirt
networks, just restart the libvirtd service.
Also I have realized that followings is default
ACCEPT all -- 0.0.0.0/0
192.168.122.0/24 ctstate RELATED,ESTABLISHED
but If I am to forward a port for a real IP to
internal guest machine I need
ACCEPT all -- 0.0.0.0/0
192.168.122.0/24 state NEW,RELATED,ESTABLISHED
(NEW state is required) and also of course a
forwarding rule
iptables -t nat -I PREROUTING -p tcp
--dport 3389 -j DNAT --to-destination
192.168.122.16:3389
Is there a place I can make this rules static
with LibVirt (not playing with firewalld and/or
iptables service for Centos 7)
The best that can be done with current libvirt is to create a
"hook" script similar to the one described here:
https://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections
(That worked the last time I tried it, but that was at least 3
years ago. The python script available as a link from that
page is newer and promises to be easier to understand (maybe))
