Re: How can I control iptables/nftables rules addition on libvirtd host on Debian 12 ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 1/29/25 8:39 AM, oza.4h07@xxxxxxxxx wrote:

Hello,

When I install libvirt-daemon on a Debian 12 host, I can see the iptables rules below beeing added.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT

For some reason, I need to add a couple of other rules.
How can I do that ?
I assume you are actually using libvirt's "default" virtual network, and that the rules you want to add are related to that network? If the rules are unrelated, you can set them up however / wherever you like. But it these rule are directly related to the virtual network created by libvirt, then take a look at https://libvirt.org/hooks.html
You can add extra rules by creating the file /etc/libvirt/hooks/network (which is a shell script) and running the appropriate nftables/iptables commands there. The above linked page will show you how to construct the script so that commands to add rules (or other stuff) are run when the network starts, and other commands to remove/undo the rules/stuff are run when the network is stopped.
(BTW, if your distro has libvirt 10.4.0 or newer, you can tell it to use nftables rules rather than iptables - just add: 

  firewall_backend = "nftables"

to /etc/libvirt/network.conf)
[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux