[libvirt-users] libvirtd -- iptables
Kurian Thayil
kurianmthayil at gmail.com
Fri Mar 18 09:51:15 UTC 2011
Hi All,
I created a couple of virtual networks (forward mode=nat) in my
rhel6-kvm box. I've come across 2 weird issues.
1. My Iptables rule chainset contains repeated rules. The same rule gets
repeated block by block
2. For connecting to guest using SSH, I created a custom IPTables chain.
I want this chain to be on top of the FORWARD chain, but everytime the
libvirtd is restarted the rule comes to the bottom of the chain (Appended).
Can anyone suggest me what the solution could be? My IPtable rules are
given below: Let me know if any further info is needed.
[root at santiago Packages]# iptables -L -n -v
Chain INPUT (policy ACCEPT 41 packets, 5818 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * vbr0 0.0.0.0/0
10.10.0.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- vbr0 * 10.10.0.0/24
0.0.0.0/0
0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * vbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- vbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * vbr1 0.0.0.0/0
10.10.1.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- vbr1 * 10.10.1.0/24
0.0.0.0/0
0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * vbr1 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- vbr1 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
5688 588K rhel-virt-forward-1 all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * vbr0 0.0.0.0/0
10.10.0.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- vbr0 * 10.10.0.0/24
0.0.0.0/0
0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * vbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- vbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * vbr1 0.0.0.0/0
10.10.1.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- vbr1 * 10.10.1.0/24
0.0.0.0/0
0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * vbr1 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- vbr1 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * vbr0 0.0.0.0/0
10.10.0.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- vbr0 * 10.10.0.0/24
0.0.0.0/0
0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * vbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- vbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * vbr1 0.0.0.0/0
10.10.1.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- vbr1 * 10.10.1.0/24
0.0.0.0/0
0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * vbr1 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- vbr1 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * vbr0 0.0.0.0/0
10.10.0.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- vbr0 * 10.10.0.0/24
0.0.0.0/0
0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * vbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- vbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * vbr1 0.0.0.0/0
10.10.1.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- vbr1 * 10.10.1.0/24
0.0.0.0/0
0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * vbr1 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- vbr1 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * vbr0 0.0.0.0/0
10.10.0.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- vbr0 * 10.10.0.0/24
0.0.0.0/0
0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * vbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- vbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * vbr1 0.0.0.0/0
10.10.1.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- vbr1 * 10.10.1.0/24
0.0.0.0/0
0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all -- * vbr1 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- vbr1 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-is-bridged
Chain OUTPUT (policy ACCEPT 38 packets, 4234 bytes)
pkts bytes target prot opt in out source
destination
Chain rhel-virt-forward-1 (1 references)
pkts bytes target prot opt in out source
destination
25 2100 ACCEPT icmp -- eth0 vbr1 0.0.0.0/0
0.0.0.0/0
3515 262K ACCEPT tcp -- eth0 vbr1 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT icmp -- eth0 vbr0 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- eth0 vbr0 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
**************Details about my virtual network interfaces are given below:
[root at santiago Packages]# virsh net-list --all
Name State Autostart
-----------------------------------------
vir0 active yes
vir1 active yes
Thank you in advance.
Regards,
--Kurian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20110318/592140ca/attachment.htm>
More information about the libvirt-users
mailing list