[Libvir] [PATCH] Re: iptables masquerade rule overexpansive
Daniel P. Berrange
berrange at redhat.com
Thu Mar 27 20:48:15 UTC 2008
On Thu, Mar 27, 2008 at 03:35:54PM -0500, Charles Duffy wrote:
> Daniel P. Berrange wrote:
> >Instead of having the separate ACCEPT rule I think it would be sufficient
> >to replace the 0.0.0.0/0 target with ! 192.168.65.0/24, eg
> >
> >iptables -t nat -A POSTROUTING
> > --source 192.168.65.0/24
> > --destination ! 192.168.65.0/24
> > -j MASQUERADE
> >
> >so it will masquerade traffic which is leaving the ip range of the virtual
> >network only, and leave ip traffic between the VMs & VM<->host alone.
>
> I considered that -- but while it will work as long as the default
> forward rule is ACCEPT, it could result in hosts being unable to
> communicate with each other if the default rule for the table is otherwise.
The default rule shouldn't come into play, because we add explicit rules
to allow direct guest<->guest and guest<->host traffic already
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Regards,
Dan.
--
|: Red Hat, Engineering, Boston -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list