[libvirt] default networking issues

Daniel P. Berrange berrange at redhat.com
Thu Jul 31 08:55:02 UTC 2008

On Wed, Jul 30, 2008 at 03:44:33PM -0400, Bryan Kearney wrote:
> I think this is the voodoo.
> 1) Add the following lines to /etc/sysconfig/iptables in the OUTPUT 
> chain of the *filter table:

No, no, no no.

> --insert FORWARD --destination 
> --out-interface virbr0 --match state --state ESTABLISHED,RELATED --jump 
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> 2) Restart iptables

Don't do this.

> 3) Restart libvirtd

Don't do this.

> By doing (1), future reboots seem to work. But not doing (3) causes it 
> to appear not to work. Do any of the virt tools do (1) magically for you?

The libvirt default networking capability  will automatically setup the
correct iptables rules to allow outbound NAT based connectivity for guest
VMs. If this wasn't working there are two likely causes:

 - You run 'service iptables stop' which blew away the rules libvirt
 - The 'net.ipv4.ip_forward' sysctl has been reset to 0

For the first problem you can do  'service libvirt reload' and it'll 
re-create its iptables rules. For the second problem edit /etc/sysctl.conf
to make sure its set to '1' and reload the sysctl settings.

|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list