<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#ffffff">
<font size="-1"><font face="Liberation Mono">Hi All,<br>
<br>
</font></font>
<div align="justify"><font size="-1"><font face="Liberation Mono">I
created a couple of virtual networks (forward mode=nat) in my rhel6-kvm
box. I've come across 2 weird issues.<br>
1. My Iptables rule chainset contains repeated rules. The same rule
gets repeated block by block<br>
2. For connecting to guest using SSH, I created a custom IPTables
chain. I want this chain to be on top of the FORWARD chain, but
everytime the libvirtd is restarted the rule comes to the bottom of the
chain (Appended).<br>
<br>
Can anyone suggest me what the solution could be? My IPtable rules are
given below: Let me know if any further info is needed.<br>
<br>
[root@santiago Packages]# iptables -L -n -v<br>
Chain INPUT (policy ACCEPT 41 packets, 5818 bytes)<br>
pkts bytes target prot opt in out source
destination <br>
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 <br>
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 <br>
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67 <br>
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67 <br>
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 <br>
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 <br>
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67 <br>
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67 <br>
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 <br>
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 <br>
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67 <br>
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67 <br>
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 <br>
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 <br>
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67 <br>
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67 <br>
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 <br>
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 <br>
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67 <br>
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67 <br>
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 <br>
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 <br>
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67 <br>
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67 <br>
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 <br>
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 <br>
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67 <br>
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67 <br>
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 <br>
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 <br>
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67 <br>
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67 <br>
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 <br>
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 <br>
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67 <br>
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67 <br>
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 <br>
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 <br>
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67 <br>
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67 <br>
<br>
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br>
pkts bytes target prot opt in out source
destination <br>
0 0 ACCEPT all -- * vbr0 0.0.0.0/0
10.10.0.0/24 state RELATED,ESTABLISHED <br>
0 0 ACCEPT all -- vbr0 * 10.10.0.0/24
0.0.0.0/0 <br>
0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0
0.0.0.0/0 <br>
0 0 REJECT all -- * vbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 REJECT all -- vbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 ACCEPT all -- * vbr1 0.0.0.0/0
10.10.1.0/24 state RELATED,ESTABLISHED <br>
0 0 ACCEPT all -- vbr1 * 10.10.1.0/24
0.0.0.0/0 <br>
0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0
0.0.0.0/0 <br>
0 0 REJECT all -- * vbr1 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 REJECT all -- vbr1 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
<font color="#cc0000"> 5688 588K rhel-virt-forward-1 all -- *
* 0.0.0.0/0 0.0.0.0/0 </font><br>
0 0 ACCEPT all -- * vbr0 0.0.0.0/0
10.10.0.0/24 state RELATED,ESTABLISHED <br>
0 0 ACCEPT all -- vbr0 * 10.10.0.0/24
0.0.0.0/0 <br>
0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0
0.0.0.0/0 <br>
0 0 REJECT all -- * vbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 REJECT all -- vbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 ACCEPT all -- * vbr1 0.0.0.0/0
10.10.1.0/24 state RELATED,ESTABLISHED <br>
0 0 ACCEPT all -- vbr1 * 10.10.1.0/24
0.0.0.0/0 <br>
0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0
0.0.0.0/0 <br>
0 0 REJECT all -- * vbr1 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 REJECT all -- vbr1 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 ACCEPT all -- * vbr0 0.0.0.0/0
10.10.0.0/24 state RELATED,ESTABLISHED <br>
0 0 ACCEPT all -- vbr0 * 10.10.0.0/24
0.0.0.0/0 <br>
0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0
0.0.0.0/0 <br>
0 0 REJECT all -- * vbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 REJECT all -- vbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 ACCEPT all -- * vbr1 0.0.0.0/0
10.10.1.0/24 state RELATED,ESTABLISHED <br>
0 0 ACCEPT all -- vbr1 * 10.10.1.0/24
0.0.0.0/0 <br>
0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0
0.0.0.0/0 <br>
0 0 REJECT all -- * vbr1 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 REJECT all -- vbr1 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 ACCEPT all -- * vbr0 0.0.0.0/0
10.10.0.0/24 state RELATED,ESTABLISHED <br>
0 0 ACCEPT all -- vbr0 * 10.10.0.0/24
0.0.0.0/0 <br>
0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0
0.0.0.0/0 <br>
0 0 REJECT all -- * vbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 REJECT all -- vbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 ACCEPT all -- * vbr1 0.0.0.0/0
10.10.1.0/24 state RELATED,ESTABLISHED <br>
0 0 ACCEPT all -- vbr1 * 10.10.1.0/24
0.0.0.0/0 <br>
0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0
0.0.0.0/0 <br>
0 0 REJECT all -- * vbr1 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 REJECT all -- vbr1 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 ACCEPT all -- * vbr0 0.0.0.0/0
10.10.0.0/24 state RELATED,ESTABLISHED <br>
0 0 ACCEPT all -- vbr0 * 10.10.0.0/24
0.0.0.0/0 <br>
0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0
0.0.0.0/0 <br>
0 0 REJECT all -- * vbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 REJECT all -- vbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 ACCEPT all -- * vbr1 0.0.0.0/0
10.10.1.0/24 state RELATED,ESTABLISHED <br>
0 0 ACCEPT all -- vbr1 * 10.10.1.0/24
0.0.0.0/0 <br>
0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0
0.0.0.0/0 <br>
0 0 REJECT all -- * vbr1 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 REJECT all -- vbr1 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable <br>
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-is-bridged <br>
<br>
Chain OUTPUT (policy ACCEPT 38 packets, 4234 bytes)<br>
pkts bytes target prot opt in out source
destination <br>
<br>
Chain rhel-virt-forward-1 (1 references)<br>
pkts bytes target prot opt in out source
destination <br>
25 2100 ACCEPT icmp -- eth0 vbr1 0.0.0.0/0
0.0.0.0/0 <br>
3515 262K ACCEPT tcp -- eth0 vbr1 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 <br>
0 0 ACCEPT icmp -- eth0 vbr0 0.0.0.0/0
0.0.0.0/0 <br>
0 0 ACCEPT tcp -- eth0 vbr0 0.0.0.0/0
0.0.0.0/0 tcp dpt:22<br>
<br>
<br>
**************Details about my virtual network interfaces are given
below:<br>
<br>
[root@santiago Packages]# virsh net-list --all<br>
Name State Autostart<br>
-----------------------------------------<br>
vir0 active yes <br>
vir1 active yes<br>
<br>
Thank you in advance.<br>
<br>
Regards,<br>
--Kurian.<br>
</font></font></div>
</body>
</html>