[libvirt-users] Libvirt and iptables rule order

[Brian Pitts]

Hi,

On RHEL 5.5, I set up iptables rules for forwarding ports to some of my
virtual machines. For example.

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 3380 -j DNAT
--to-destination 192.168.123.2:3389
iptables -I FORWARD -d 192.168.123.2 -i eth0 -p tcp -m tcp --dport 3389
-m state --state NEW -j ACCEPT

These worked fine, and I saved them with 'service iptables save'.

However, upon rebooting the server the forwarding no longer works. When
I inspect the configuration with 'iptables -L', I see that the rules
libvirt creates were inserted before the rules from
/etc/sysconfig/iptables. Since the rules from libvirt include one that
rejects any new connections, the data I want forwarded is dropped. For
example,

target  prot  opt  in  out  source  destination
ACCEPT  all  --  any  virbr1  anywhere 192.168.123.0/24  state
RELATED,ESTABLISHED
ACCEPT  all  --  virbr1 any  192.168.123.0/24  anywhere
ACCEPT  all  --  virbr1  virbr1  anywhere  anywhere
REJECT  all  --  any  virbr1  anywhere  anywhere reject-with
icmp-port-unreachable
REJECT  all  --  virbr1 any  anywhere  anywhere reject-with
icmp-port-unreachable
ACCEPT  tcp  --  eth0  any  anywhere  192.168.123.2  tcp
dpt:ms-wbt-server state NEW

How should I configure iptables so that my rules and libvirt's play
nicely? Basically I need my ACCEPTs to end up before libvirt's REJECTs.
I looked through the list archives and libvirt documentation but did not
see an answer to this question.

-- 
Brian Pitts
Systems Administrator | EuPathDB Bioinformatics Resource Center
706-542-1447 | bdp at uga.edu | http://eupathdb.org