Easy solution for custom firewall rules- is it possible?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello All-

I've looked in several places and haven't found an answer to this
question: is it possible to have libvirt add custom rules to iptables
for virtual network interfaces?  I took a look at the "Firewall and
Network Filtering in Libvirt" page and it seems overly complicated for
what I want to do.

Given an interface virbr2 and its network 192.168.4.0/24, libvirt
installs the following rules in iptables.  Essentially, these rules
will drop any packets for the interface virbr2 where the source or
destination is not on the 192.168.4.0/24 network.

-P FORWARD ACCEPT
-A FORWARD -d 192.168.4.0/24 -o virbr2 -j ACCEPT
-A FORWARD -s 192.168.4.0/24 -i virbr2 -j ACCEPT
-A FORWARD -i virbr2 -o virbr2 -j ACCEPT
-A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable

I have a VPN server on the 4/24 network- and it hands out addresses in
the 8/24 network.  So I would like libvirt to also create the
following rules in iptables:

-A FORWARD -d 192.168.8.0/24 -o virbr2 -j ACCEPT
-A FORWARD -s 192.168.8.0/24 -i virbr2 -j ACCEPT

I've tried creating direct rules in firewalld for the FORWARD_direct
chain.  Firewalld happily creates those rules, but they are never
reached, because they fall AFTER the libvirt rules.  I've also tried
creating an IP address on the virbr2 interface in the 8/24 network,
but that doesn't work either.  How can I get this done?

Thanks!!
-JK

_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users



[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux