[Libvir] Virtual network iptables rules
Richard W.M. Jones
rjones at redhat.com
Thu Apr 5 10:38:42 UTC 2007
Daniel P. Berrange wrote:
[...]
> Scenario 2: Virtual network
> ===========================
>
> net.bridge.bridge-nf-call-iptables = 1
As far as I could tell, this case is exactly the same as scenario 1,
except PHYSIN is available.
> Type 1: Isolated virtual network
> --------------------------------
>
> Chain POSTROUTING (policy ACCEPT 273 packets, 26341 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy ACCEPT 29 packets, 2244 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 REJECT all -- * vnet2 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> 0 0 REJECT all -- vnet2 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
So the thinking here is that FORWARD will only apply to packets from
DomU to the internet. Since this is an isolated network, all packets
trying to go out should be rejected. I'm a bit confused as to what
"vnet2" is here. It seems that any traffic to/from virbr0 should be
rejected.
The rules above seem like they might match the DomU <-> DomU case
(wouldn't these go through the FORWARD chain also?) If DomUs should be
allowed to talk to each other (and that in itself is a policy decision)
then perhaps adding a rule to allow when in = virbr0 & out = virbr0?
> Chain INPUT (policy ACCEPT 76724 packets, 366M bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT udp -- vnet2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> 0 0 ACCEPT tcp -- vnet2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> 0 0 ACCEPT udp -- vnet2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> 0 0 ACCEPT tcp -- vnet2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
So we have ACCEPT rules on a chain whose default policy is ACCEPT? Is
there a later catch-all REJECT rule which I'm not seeing?
> Type 2: Forwarding to a specific NIC only
> -----------------------------------------
>
> Chain POSTROUTING (policy ACCEPT 273 packets, 26341 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 MASQUERADE all -- * eth1 192.168.200.0/24 0.0.0.0/0
Seems OK.
> Chain FORWARD (policy ACCEPT 29 packets, 2244 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT all -- eth1 vnet3 0.0.0.0/0 192.168.200.0/24 state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- vnet3 eth1 192.168.200.0/24 0.0.0.0/0
> 0 0 REJECT all -- * vnet3 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
> 0 0 REJECT all -- vnet3 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Seems OK, except for the DomU <-> DomU case as above.
> Chain INPUT (policy ACCEPT 76724 packets, 366M bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT udp -- vnet3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
> 0 0 ACCEPT tcp -- vnet3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
> 0 0 ACCEPT udp -- vnet3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
> 0 0 ACCEPT tcp -- vnet3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Again I don't understand ACCEPT rules on a chain with default policy ACCEPT.
> Type 3: Forwarding to any active NIC
> ------------------------------------
Same comments as for the type 2 case above.
> Hopefully at least one person has read this far through the email and still
> understands what is going on....
To some extent ...
Rich.
--
Emerging Technologies, Red Hat http://et.redhat.com/~rjones/
64 Baker Street, London, W1U 7DF Mobile: +44 7866 314 421
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom.
Registered in England and Wales under Company Registration No. 3798903
Directors: Michael Cunningham (USA), Charlie Peters (USA) and David
Owens (Ireland)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20070405/a309c819/attachment-0001.bin>
More information about the libvir-list
mailing list