[libvirt-users] Modify Iptables Rules (virbr0 & virbr1)
Jorge Fábregas
jorge.fabregas at gmail.com
Wed Jul 31 15:01:30 UTC 2013
Hi,
I have some guests running in the "default" network (virbr0) and I've
also created a similar (NAT) network (virbr1). Therefore, the FORWARD
chain for the CentOS 6.4 host looks like this:
http://fpaste.org/29229/75281379/
...where line 3-7 are related to virbr0 and 8-12 to virbr1. My 2 questions:
1) I've noticed that I can ping from a guest within virbr0 to any guest
on the virbr1 network. However, I can't do the same from virbr1 (ping
guests on virbr0). This is because of "line 6" on the pastebin, where
the traffic is REJECTED.
I originally thought that If I create multiple NAT networks (just like
the default virbr0) they would be able to talk to each other (the host
doing the actual forwarding) but as you can see, based on the iptables
rules that libvirt injects, this only happens for the first network.
That is, the first network can reach all other networks (just because it
happens to be the first one defined). Is this the intention (only
default can talk to the others but not the other way around)?
2) I would like both networks to talk to each other. If I remove line #6
I can make virbr1 guests talk to virbr0 guests. What is the correct
way to handle this? I obviously don't want to perform "iptables -D
FORWARD line-number..." every time I start libvirt. (I really like to
leave the networks as they are, NAT, dhcp running etc).
Thanks!
Jorge
More information about the libvirt-users
mailing list