libvirtd and public access to guests

Didar Hossain didar.hossain at gmail.com
Sat Oct 10 09:20:40 UTC 2009 

On Sat, Oct 10, 2009 at 2:26 PM, Didar Hossain <didar.hossain at gmail.com> wrote:
> On Thu, Oct 8, 2009 at 3:32 PM, Pavel Lisy <pali at tmapy.cz> wrote:
>> Hello
>>
>> I've started playing with libvirt and I have question?
>>
>> What is proper way to make guest accessible from net.
>>
>> I have mode=nat /var/lib/libvirt/network/default.xml.
>>
>> libvirtd makes this rules in FORWARD chain
>>
>> -A FORWARD -d 192.168.231.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -s 192.168.231.0/24 -i virbr0 -j ACCEPT
>> -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
>> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
>> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>>
>> If I add
>> iptables -I FORWARD -i eth0 -o virbr0 -j ACCEPT
>> guests are accessible
>>
>> My question is:
>> Is is possible write this somewhere to configuration?
>>
>> I've tried to put it in /etc/sysconfig/iptables but it libvirtd put his
>> rules before mine.
>>
>>
>> I've found two directories
>> /var/lib/libvirt/iptables/filter
>> /var/lib/libvirt/iptables/nat
>
> I was hoping someone with more experience would help you on this issue.
>
> It is better to write your own rules than messing with these files
> (/var/lib/libvirt).
>
> The default network mode of libvirt is a private network behind NAT.
> The guests are provided
> an IP address via DHCP. If you want a guest to be accessible from the
> Internet then you will
> have to configure static IP in your guest, ensure that you give an IP
> in the 192.168.231.0/24
> range.
>
> Then you will have to set up DNAT iptable rules. AFAIK, to prevent
> libvirt from overriding your
> rules, you should be using "-I" (INSERT) instead of "-A" (APPEND). Put
> your rules in the file
> /etc/sysconfig/iptables
>
> This is the theory. I *do not* use libvirt. I use VDE for my
> networking with command line KVM.
>
> HTH,
> Didar
>

Forgot to add - you have to "INSERT" the rules in reverse order so
that the correct sequence
of rules are put in place.

Didar

More information about the fedora-list mailing list