[libvirt-users] Insert iptables rules with network hook

Dieter Späth dieter.spaeth at gmx.de
Tue Mar 1 22:11:23 UTC 2016


Hi,

 

I wan’t to add iptables rules between existing rules and the rules created
by  libvirt (forward type=nat).

I did try the hook

/etc/libvirt/hooks/network network_name start begin -

and
 
/etc/libvirt/hooks/network network_name started begin -

It seems like the libvirt iptables rules are already inserted when
this hook is executed.

Simply use –I instead of –A does not work either because the rules should be

inserted between the existing one and the libvirt rules. Also the custom
rules should be deleted after
the hoook

/etc/libvirt/hooks/network network_name stopped end -

is executed.

Does a hook exists which is executed after the network is started but before
the
libvirt rules are inserted?

Is it possible the use a custom chain for the libvirt iptables rules instead
of directly writing 
them into the INPUT chain?

I think of some thing like INPUT

VIRT_VIBR0     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0    
VIRT_VIBR0     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0    


and VIRT_VIBR0     
 
ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24
state RELATED,ESTABLISHED
ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0
ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0
REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0
reject-with icmp-port-unreachable
REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0
reject-with icmp-port-unreachable
 

thanks & regards
dieter
 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20160301/49626cd5/attachment.htm>


More information about the libvirt-users mailing list