[libvirt-users] nwfilter usage

Brian Rak brak at gameservers.com
Mon May 26 23:46:12 UTC 2014 

Make sure you have:

/proc/sys/net/bridge/bridge-nf-call-iptables = 1

On 5/26/2014 1:35 PM, Matt LaPlante wrote:
> I'm trying to accomplish what I had hoped would be a fairly simple
> filtering of traffic to my VMs, but I'm hitting a snag.  The VMs are
> allowing traffic when I wouldn't expect them to.
>
> Host and Guest are both running the same platform:
> Ubuntu 12.04.4 LTS
> 0.9.8-2ubuntu17.19
>
> I have a basic bridge enabled on the host:
> brctl addbr brdg
> brctl addif brdg eth1
> ip link set brdg up
>
> The host has iptables support:
> root at host:~# lsmod | grep filt
> ip6table_filter        12815  0
> ip6_tables             27864  2 ip6table_filter,xt_TPROXY
> iptable_filter         12810  1
> ip_tables              27473  4
> iptable_raw,iptable_nat,iptable_mangle,iptable_filter
> x_tables               29891  52
> ebt_arp,ebt_ip,ip6table_filter,ebtables,xt_time,xt_connlimit,xt_realm,xt_addrtype,iptable_raw,xt_comment,xt_recent,xt_policy,ipt_ULOG,ipt_REJECT,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ipt_ECN,ipt_ecn,ipt_CLUSTERIP,ipt_ah,xt_set,xt_TPROXY,ip6_tables,xt_tcpmss,xt_pkttype,xt_physdev,xt_owner,xt_NFQUEUE,xt_NFLOG,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_iprange,xt_helper,xt_hashlimit,xt_DSCP,xt_dscp,xt_dccp,xt_conntrack,xt_connmark,xt_CLASSIFY,xt_AUDIT,ipt_LOG,xt_tcpudp,xt_state,iptable_nat,iptable_mangle,iptable_filter,ip_tables
>
> Guest network using bridge:
> <interface type='bridge'>
>    <mac address='00:11:22:33:44:55'/>
>    <source bridge='brdg'/>
>    <model type='virtio'/>
>    <filterref filter='outbound-only'/>
>    <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
> </interface>
>
> <filter name='outbound-only' chain='root'>
>    <uuid>0c834381-402c-faf3-019f-eb5a40ea6b61</uuid>
>    <filterref filter='allow-arp'/>
>    <filterref filter='allow-dhcp'/>
>    <filterref filter='qemu-announce-self'/>
>    <filterref filter='no-other-l2-traffic'/>
> </filter>
>
> My goal is to allow the guest to reach the internet, but not allow the
> internet or other guests to reach this guest.  I realize this config
> is not sufficient for that, but I can't get any farther until I
> understand the current behavior.  From the look of the config, this
> should essentially not be allowing anything except arp and dhcp.  And
> yet, the host has full connectivity.  I can run apt-get update on the
> VM, I can ping the VM from other nodes in my network, etc.  It's
> basically wide-open.  So either one of the included rules is not
> working as advertised, or I'm misunderstanding some feature of the
> filtering process.
>
> Any pointers would be appreciated.  Thanks
>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users at redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users

More information about the libvirt-users mailing list