[libvirt] iptables and libvirt
Thomas Woerner
twoerner at redhat.com
Tue Feb 24 13:43:20 UTC 2009
Ulrich Dangel wrote:
> On Friday 13 February 2009 19:21:10 Thomas Woerner wrote:
> Hi,
>
> i just got the same idea, so here are some thoughts.
>
>> Some Questions:
>> 3) What do you want to do with user-customized firewalls?
>
> I want do to port forwarding for a nat network for statically configured ip
> addressed.
>
> A solution could be:
> <network>
> <name>sample</name>
> <forward dev='eth0' mode='nat'/>
> <bridge name='intbr0' stp='on' forwardDelay='0' />
> <ip address='192.168.122.1' netmask='255.255.255.0'>
> <dhcp>
> <range start='192.168.122.2' end='192.168.122.254' />
> <host mac='AA:BB:CC:DD:EE:FF' ip='192.168.122.102'>
> <port proto='tcp' destip='EXT_IP' dport='80' />
> <port proto='tcp' destip='EXT_IP' dport='2202' mapped_port='22'>
> </host>
> </dhcp>
> </ip>
> </network>
>
> The first mapping could be translatet in something like
> iptables -A FORWARD -i intbr0 -p tcp -d 192.168.122.102 --dport 80 \
> -m state NEW -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp -s EXT_IP --dport 80 -j DNAT \
> --to-destination 192.168.122.102
>
> second one would be
>
> iptables -A FORWARD -i intbr0 -p tcp -d 192.168.122.102 --dport 22 \
> -m state NEW -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp -s EXT_IP --dport 2202 -j DNAT \
> --to-destination 192.168.122.102:22
>
> Hope this makes it a little bit clearer what i want to do with user customized
> firewalls.
>
What is EXT_IP here?
These forward rules are exactly what "lokkit
--forward-port=if=<interface>:port=<port>:proto=<protocol>[:toport=<destination
port>][:toaddr=<destination address>]" already is doing. The
configuration is written to /etc/sysconfig/system-config-firewall and
/etc/sysconfig/iptables.
> Uli
>
Thomas
More information about the libvir-list
mailing list