Re: Host Machine and Iptables problem

Cbulist <cbulist@xxxxxxxxx> · Tue, 01 May 2012 09:55:51 -0500

On 05/01/2012 08:46 AM, Tait Clarridge wrote:
>
> On Tue, 2012-05-01 at 02:08 -0500, Cbulist wrote:
>> On 05/01/2012 02:03 AM, Barry Brimer wrote:
>>>> Yes, I thought the same but my confusion is that I don't see any rules of
>>>> PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file.
>>>>
>>>> [root@VS01]# cat /etc/sysconfig/iptables
>>>> # Firewall configuration written by system-config-firewall
>>>> # Manual customization of this file is not recommended.
>>>> *filter
>>>> :INPUT ACCEPT [0:0]
>>>> :FORWARD ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [0:0]
>>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>> -A INPUT -p icmp -j ACCEPT
>>>> -A INPUT -i lo -j ACCEPT
>>>> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
>>>> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
>>>> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j
>>>> ACCEPT
>>>> -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT
>>>> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
>>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>>>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>>>> COMMIT
>>>>
>>>>
>>>> But when I check the command iptables -L -t nat I can see the NAT rules
>>>>
>>>> [root@VS01]# iptables -L -t nat
>>>> Chain PREROUTING (policy ACCEPT)
>>>> target     prot opt source               destination
>>>>
>>>> Chain POSTROUTING (policy ACCEPT)
>>>> target     prot opt source               destination
>>>> MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24    masq ports:
>>>> 1024-65535
>>>> MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24    masq ports:
>>>> 1024-65535
>>>> MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24
>>>> MASQUERADE  tcp  --  192.168.100.0/24    !192.168.100.0/24    masq ports:
>>>> 1024-65535
>>>> MASQUERADE  udp  --  192.168.100.0/24    !192.168.100.0/24    masq ports:
>>>> 1024-65535
>>>> MASQUERADE  all  --  192.168.100.0/24    !192.168.100.0/24
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target     prot opt source               destination
>>>>
>>>> am I missing something?
>>> Maybe .. do you have IPv4 forwarding enabled?  What is the output of
>>> "cat /proc/sys/net/ipv4/ip_forward" ?? If it is 0, then edit
>>> /etc/sysctl.conf .. find net.ipv4.ip_forward .. set it to 1 and then run
>>> (as root) sysctl -p
>>>
>> In the Host machine the ip_forward is 1
> If you restart libvirtd it should add in the IPTABLES rules you are
> missing.
>
Hi Tait,

Thanks for share your point!...It worked and explained what was happened.
For everyone that is looking for more information about it I left this link:

http://libvirt.org/firewall.html

Thanks again!

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos