Confused about bridging, firewall (iptables), and DHCP
Mikkel L. Ellertson
mikkel at infinity-ltd.com
Tue Mar 13 22:49:17 UTC 2007
Tony Nelson wrote:
> At 1:26 PM -0500 3/13/07, Mikkel L. Ellertson wrote:
>
>> You would then create what ever firewall rules you with on
>> your virtual machine using the tap0 interface, just like you would
>> using eth0 if it were a stand-alone machine. You may have to add
>> rules to set the defaults on eth0 to accept in order to purge the
>> old rules.
>
> Actually, I don't think I'd need any rules at all for the VM, as it should
> be able to do its own firewalling -- and it does, I'm fighting with it now
> (and winning!).
>
Yes, the VM should have firewall rules based on what it calles tap0.
But you need to make sure that the rule for eth0 on the real machine
accept all packets. If you are bringing up iptables before you are
creating the bridge, then it probably has rules and/or policies for
eth0. It is also possible to add rules for individual interfaces
that make up the bridge, but in this case, you will probably want
the bridge interfaces to accept everything.
>
>> One thing you could try after the bridge is up is to run "service
>> iptables restart". This might reset the firewall rules to use br0
>> instead of eth0.
>
> FWIW, I have been doing "iptables --flush" and later "iptables-restore",
> and that doesn't unfilter the tap. I think, since the output of "iptables
> -vL" says "any" for the interface, that I'd have to make more specific
> rules. Maybe I'm starting to understand it.
Keep in mind that running "iptables --flush" does not change the
default policy - it just deletes the (user defined) rules. Running
"service iptables stop" will also reset the default policies.
I am not sure, but I suspect that the rules in
/etc/sysconfig/iptables get evaluated differently if the bridge is up.
Mikkel
--
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
More information about the fedora-list
mailing list