[libvirt-users] Disabling iptables on bridge breaks port forwarding for NAT

[Brian Pitts]

Hi,

Following the directions for setting up bridged networking in the red
hat virtualization guide and libvirt wiki, I set the following kernel
parameters to 0 on a RHEL 5.5 server.

net.bridge.bridge-nf-call-ip6tables
net.bridge.bridge-nf-call-iptables
net.bridge.bridge-nf-call-arptables

Unfortunately, doing this broke the port forwarding I'd set up for VMs
on my NAT networks, e.g.

iptables -I FORWARD -d 192.168.122.2 -i eth0 -p tcp -m tcp --dport 80 -m
state --state NEW -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT
--to-destination 192.168.122.2:80

Before I run sysctl to change those values, nmap shows port 8080 as
open. Afterwards, nmap shows it as filtered. Using sysctl to set those
values to 1 did not undo the change, the port still showed as filtered.
I had to reboot to open the port again.

Creating an iptables rule to accept traffic on bridged devices, i.e.

iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT

did not not cause this problem. I am wondering if breaking the FORWARD
and PREROUTING rules I set up to do port forwarding is to be expected
when those net.bridge parameters are set to 1. If so, I think this
should be mentioned in the libvirt wiki and red hat documentation. It
can't be that uncommon for a single server to host guests with a mix of
with bridged and NAT networking.

-- 
Brian Pitts
Systems Administrator | EuPathDB Bioinformatics Resource Center
706-542-1447 | bdp at uga.edu | http://eupathdb.org