[libvirt-users] Getting nwfilter to work on Debian Wheezy
Stefan Berger
stefanb at linux.vnet.ibm.com
Tue Aug 6 11:04:20 UTC 2013
On 07/08/2013 10:59 AM, Sven Schwedas wrote:
> Hi,
>
> I'm trying to configure nwfilter for KVM, but so far I haven't managed
> to figure out a working configuration.
>
> Network setup: The dom0 (Debian 7.1, kernel 3.2.46-1, libvirt 0.9.12) is
> connected via eth0, part of the external subnet 192.168.17.0/24, and has
> an additional subnet 192.168.128.160/28 routed to its main address
> 192.168.17.125.
>
> The host's subnet is configured as bridge in virsh:
>> <network>
>> <name>foo</name>
>> <forward dev='eth0' mode='route'>
>> <interface dev='eth0'/>
>> </forward>
>> <bridge name='foo-br0' stp='off' delay='0' />
>> <ip address='192.168.128.161' netmask='255.255.255.240'>
>> </ip>
>> </network>
> The domU is configured to use this bridge (static IP configured in DomU):
>
>> <interface type='network'>
>> <source network='foo'/>
>> <target dev='vnet0'/>
>> <model type='virtio'/>
>> <filterref filter='test-eth0'>
>> <parameter name='CTRL_IP_LEARNING' value='none'/>
>> <parameter name='IP' value='192.168.128.162'/>
>> </filterref>
>> <alias name='net0'/>
>> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
>> </interface>
> With an empty filter, connectivity is working fine. Now, if I add the
> example ruleset suggested in the documentation (
> http://libvirt.org/formatnwfilter.html#nwfwriteexample ), *incoming*
> ICMP works (but not outgoing), and inbound SSH traffic is blocked,
> together with outbound DNS.
>
> The linked rules produce the following iptables chains:
>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> libvirt-host-in all -- 0.0.0.0/0 0.0.0.0/0
>> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
>> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> libvirt-in all -- 0.0.0.0/0 0.0.0.0/0
>> libvirt-out all -- 0.0.0.0/0 0.0.0.0/0
>> libvirt-in-post all -- 0.0.0.0/0 0.0.0.0/0
>> ACCEPT all -- 0.0.0.0/0 192.168.128.160/28
>> ACCEPT all -- 192.168.128.160/28 0.0.0.0/0
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
>> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain FI-vnet0 (1 references)
>> target prot opt source destination
>> RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED ctdir ORIGINAL
>> RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED ctdir ORIGINAL
>> RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY
>> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW,ESTABLISHED ctdir REPLY
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain FO-vnet0 (1 references)
>> target prot opt source destination
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED ctdir REPLY
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED ctdir REPLY
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL
>> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 state ESTABLISHED ctdir ORIGINAL
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain HI-vnet0 (1 references)
>> target prot opt source destination
>> RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED ctdir ORIGINAL
>> RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state ESTABLISHED ctdir ORIGINAL
>> RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY
>> RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 state NEW,ESTABLISHED ctdir REPLY
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain libvirt-host-in (1 references)
>> target prot opt source destination
>> HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
>>
>> Chain libvirt-in (1 references)
>> target prot opt source destination
>> FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
>>
>> Chain libvirt-in-post (1 references)
>> target prot opt source destination
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0
>>
>> Chain libvirt-out (1 references)
>> target prot opt source destination
>> FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0
> I've tried fidgeting with the configuration (direction inout instead of
> in/out, etc.), but I didn't find a setup that works as intended. What am
> I missing?
Depending on the settings of your Linux distribution you may need to
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
to enable iptables filtering for traffic traversing the bridge. Does
this get it to work?
Stefan
More information about the libvirt-users
mailing list