[fedora-virt] bridge network with iptables running on host?

Gene Czarcinski gene at czarc.net
Wed Sep 2 15:45:54 UTC 2009

On Wednesday 02 September 2009 11:09:28 Mark McLoughlin wrote:
> (Sorry for the delay in replying)
> On Sun, 2009-08-23 at 20:41 -0400, Tom Horsley wrote:
> > On Sun, 23 Aug 2009 17:06:04 -0700
> >
> > Dale Bewley wrote:
> > > On Fri, 2009-08-21 at 18:35 -0400, Tom Horsley wrote:
> > > > Do I have to tell the host to forward everything (rather than
> > > > forwarding nothing as I have it now?).
> > >
> > > You are going to need something like this:
> > >  iptables -I FORWARD -m physdev  --physdev-is-bridged -j ACCEPT
> > >
> > > Take a peek in /var/lib/libvirt/iptables for the rules that libvirt
> > > inserts when you use a libvirt defined network.
> >
> > Actually I finally discovered it was a combination of several
> > completely different things. I wasn't using the default libvirt
> > networking, so I didn't need any NAT related rule.
> >
> > I was instead using a bridge I defined. So first
> > I had to discover what the heck the /etc/sysctl.conf
> > settings recommended in a few places actually meant to know
> > that I really did need:
> >
> > net.bridge.bridge-nf-call-arptables = 0
> > net.bridge.bridge-nf-call-ip6tables = 0
> > net.bridge.bridge-nf-call-iptables = 0
> >
> > to prevent my VMs from being filtered by my host's iptables.
> Note:
>   http://wiki.libvirt.org/page/Networking#Fedora.2FRHEL_Bridging
> We used to recommend the "physdev-is-bridged" iptables rule, but now we
> recommend disabling iptables on the bridge altogether. See:
>   https://bugzilla.redhat.com/512206
> 'bridge-nf-call-iptables = 0' will be the default with Fedora 12.

A few years ago, I studied iptables to understand how it worked.  Time has 
passed; iptables has evolved; I doubt that everything in iptables works the 
same let alone that I remember it correctly.

I have set up a bridge interface (br0) on my host according the the above URL 
(modified ifcfg-eth0 and created ifcfg-br0; disabled NetworkManager and enabled 
network at startup.

Yes, I do not want the host iptables to do any filtering for any guest using 
br0 (they should do their own filtering or whatever).  However, I still do want 
network I/O on the host (not to/from a guest) to be filtered.

The configuration recommended in the above URL puts host I/O through br0 also 
(as indicated by the output of the "route" command.

Just what is and is not filtered?  Is nothing filtered on the host.

On one system, I accidentally left static IP definitions in ifcfg-eth0 while 
specifying BRIDGE=br0 and creating ifcfg-br0 with the same (static) IP values.  
The result of ifconfig show BOTH interfaces up with the same IP values.  I 
immediately realized that I did something "wrong" and corrected it but is it 

For example, could I setup ifcfg-eth0 with IP (for example) plus 
BRIDGE=br0 and then have ifcfg-br0 use IP (for example) to make 
sure that host filtering continues.  I have not really tried this and have no 
idea if it would work or not.



More information about the Fedora-virt mailing list