On 8/30/19 05:39, toml@xxxxxxx wrote:
Hello
I have an understanding problem with the following 3 rules
generated by virtmanager (libvirt). Why are the first two
rules necessary when the third rule handles the whole VM?
What is the advantage of the first two rules?
Does anyone have a short explanation for me?
Thank you very much.
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -p tcp -j
MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -p udp -j
MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -j MASQUERADE
BR, Tom
What the first two rules are really doing is ensuring that TCP and UDP
outgoing connections are translated to ports >= 1024, even if the
original source port is lower. It's basically an archaic and low-quality
security mechanism whereby untrusted applications aren't allowed to use
ports below 1024, and guest VMs are considered untrusted with respect to
use of the host's IP address.
The last rule handles protocols other than TCP and UDP.
