Re: connection refused from DNATted host (libvirt guests!)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I'm not subscribed to this list, please keep me in the From: when
replying, thanks!

I've found a solution, I'm porting here hoping it could be useful to
others.

I've also change a little bit the subject to include the important
missing information about libvirt guests.

Giovanni Biscuolo <giovanni@xxxxxxxxxxxx> writes:

[...]

> I'm using libvirt to define and run a guest (IPv4 192.168.133.9) inside
> my host

OK now I've understand that:

1. libvirt (still?!?) uses iptables and not nftables to define firewall
rules (see [1])

2. iptables defined filters are _not_ visible via "nft" commands, at
least not via 'nft list ruleset' I was using to look at rules.  I was
actually expecting a uniform interface to netfilter, but I see that even
today we still have to manage netfilter via (at least?) two different
interfaces.

3. when defining a network bridge with a forward "mode='nat'" parameter
(the default) libvirt configures firewalling rules (via iptables) so
that «inbound connections from other networks are all prohibited; all
connections between guests on the same network, and to/from the host to
the guests, are unrestricted and not NATed.» (see [2]

The solution I've adopted is to (re)define the libvirt created network
bridge (swws-bridge in my case) using forward "mode='open'", so that «no
firewall rules will be added for the network» (see [2]) by libvirt and I
can manage all firewall rules via nftables alone.  Once reconfigured
swws-bridge I was able to remotely connect to my DNATted (and forwarded)
ports on my guest machine.

Another solution could have been to configure some libvirt nwfilters via
XML (see [3])... but no :-D

[...]

Happy hacking.

[1] https://libvirt.org/firewall.html#firewalld-and-the-virtual-network-driver
so libvirt can use firewalld backends but not nftables directly :-(

[2] https://libvirt.org/formatnetwork.html#connectivity

[3] https://libvirt.org/formatnwfilter.html

-- 
Giovanni Biscuolo

«Si può sperare
 Che il mondo torni a quote più normali».

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux