I used your second link to write a perl script to do what I wanted. Thanks. John Ratliff | Pervasive Technology Institute | UITS | Research Storage - Indiana University | http://pti.iu.edu/ -----Original Message----- From: Pavel Hrdina <phrdina@xxxxxxxxxx> Sent: Thursday, May 3, 2018 4:43 AM To: Ratliff, John <jdratlif@xxxxxx> Cc: virt-tools-list@xxxxxxxxxx Subject: Re: iptables rules created by libvirt On Thu, May 03, 2018 at 12:51:06AM +0000, Ratliff, John wrote: > I want to use NAT forwarding to forward some ports on my kvm host to > my guests. There is a rule that libvirt is creating that rejects this > traffic, and it gets recreated every time the network is updated. > > -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable > > My FORWARD policy is set to DROP, so I'd like to just remove this > rule, but I don't understand where it's coming from. Hi, here you can read about libvirt networking and how it works [1]. > I'm using kvm/qemu/libvirt on a RedHat 7.5 host. > > It's not clear to me whether anything is using any of the nwfilter > rules. I haven't added any, and I don't see any referenced in any of > my domain xml dumps or the network xml dump. > > Can I get libvirt to stop adding this rule, or even any firewall rules > and I'll do it myself? There is no need to change this behavior, you can use QEMU guest hook where you can add your own iptables rules [2]. Pavel [1] <https://libvirt.org/firewall.html> [2] <https://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
