[Libvir] iptables masquerade rule overexpansive

Daniel P. Berrange berrange at redhat.com
Thu Mar 27 19:21:39 UTC 2008 

On Thu, Mar 27, 2008 at 01:23:25PM -0500, Charles Duffy wrote:
> On my system, libvirt-0.4.0-2ubuntu6 added the following rule to allow 
> my virtual hosts NATted access to the outside world:
> 
> >Chain POSTROUTING (policy ACCEPT 33904 packets, 2146K bytes)
> > pkts bytes target     prot opt in     out     source               
> > destination
> >  779  102K MASQUERADE  all  --  *      *       192.168.65.0/24      
> >  0.0.0.0/0
> 
> This resulted in *all* traffic being masqueraded, even between two 
> different VMs -- preventing hostbased authentication between these VMs. 
> To temporarily resolve this, I added an additional rule, as follows:
> 
> >Chain POSTROUTING (policy ACCEPT 34049 packets, 2160K bytes)
> > pkts bytes target     prot opt in     out     source               
> > destination
> >  156  9752 ACCEPT     all  --  *      *       192.168.65.0/24      
> >  192.168.65.0/24
> >  865  109K MASQUERADE  all  --  *      *       192.168.65.0/24      
> >  0.0.0.0/0
> 
> The network definition being used was as follows:
> 
> ><network>
> >  <name>default</name>
> >  <uuid>a7c5b18c-9d38-40ed-9b12-8b1a27013b85</uuid>
> >  <bridge name="virbr%d" />
> >  <forward/>
> >  <ip address="192.168.65.253" netmask="255.255.255.0"/>
> ></network>
> 
> I'm frankly unclear on why the packets attempted to forward through .253 
> in any event -- the routing tables on both VMs refer to 192.168.65.0/24 
> as part of the local network, so my expectation is that no attempt to 
> route through the default gateway should have occurred.

This is probably a result of the sysctl settings in the host. I imagine
you have

  net.bridge.bridge-nf-call-iptables = 1

which will cause bridged traffic to be passed into iptables even though
it is doing link layer bridging which would ordinarily only hit the
ebtables filters. 

> In any event, having libvirt extend the MASQUERADE rule to avoid 
> impacting traffic between hosts on the virtual network -- or adding a 
> paired ACCEPT, as I did above -- would probably be a Good Thing.

Instead of having the separate ACCEPT rule I think it would be sufficient
to replace  the 0.0.0.0/0 target with  ! 192.168.65.0/24, eg

iptables -t nat -A POSTROUTING
                --source 192.168.65.0/24 
                --destination ! 192.168.65.0/24
                -j MASQUERADE

so it will masquerade traffic which is leaving the ip range of the virtual
network only, and leave ip traffic between the VMs & VM<->host alone.

Dan.
-- 
|: Red Hat, Engineering, Boston   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list