[libvirt-users] Default firewall rules and forwarding to a guest

Laine Stump laine at laine.org
Tue Jan 3 22:06:28 UTC 2017 

On 12/22/2016 09:48 AM, Omer Aldemir wrote:
>
> Hello,
>
>
> I am trying to understand how libvirt firewall rules are loaded as I 
> have firewalld and iptables services are disabled.
>

libvirt will add its iptables rules via firewalld if firewalld is 
enabled and running, otherwise it executes iptables commands directly.

w
>
>
> Where is the configuration files for firewall and NAT  rules for libvirt?
>

There are no configuration files for the iptables rules that libvirt 
adds. The simple set of rules that is added is fixed for each type of 
libvirt network - NAT, routed, and isolated. Here is a description of 
exactly what is added for each of these types of network:

    https://libvirt.org/firewall.html

(actually I just realized that I forgot to add information there about a 
new network forwarding type I recently added - "open", which doesn't add 
*any* iptables rules - this is intended for those who want to do their 
own iptables setup for libvirt networks, outside of libvirt.)

> How can I load default firewall rules if I mess things up
>

To reload all the iptables rules for all active libvirt networks, just 
restart the libvirtd service.

>
> Also I have realized that followings is default
>
>
> ACCEPT     all  --  0.0.0.0/0 192.168.122.0/24     ctstate 
> RELATED,ESTABLISHED
>
>
> but If I am to forward a port for a real IP to internal guest 
> machine I need
>
>
> ACCEPT     all  --  0.0.0.0/0 192.168.122.0/24     state 
> NEW,RELATED,ESTABLISHED
>
>
> (NEW state is required) and also of course a forwarding rule
>
>
> iptables -t nat -I PREROUTING -p tcp --dport 3389 -j DNAT 
> --to-destination 192.168.122.16:3389
>
>
> Is there a place I can make this rules static with LibVirt (not 
> playing with firewalld  and/or iptables service for Centos 7)
>

The best that can be done with current libvirt is to create a "hook" 
script similar to the one described here:

https://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections

(That worked the last time I tried it, but that was at least 3 years 
ago. The python script available as a link from that page is newer and 
promises to be easier to understand (maybe))
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20170103/34304bbd/attachment.htm>

More information about the libvirt-users mailing list