[libvirt-users] Easy solution for custom firewall rules-

Laine Stump laine at redhat.com
Mon Jun 3 16:55:06 UTC 2019

On 6/2/19 10:02 PM, Joshua Kramer wrote:
> Nakta wrote:
>> libvirts nwfilter module can achieve that.
> I read over those resources and I did what I thought would be correct,
> but it's not having any effect.
> I created a new nwfilter like this:
> <filter name='allow-virbr2-vpn' chain='ipv4' priority='-700'>
>    <rule action='accept' direction='in' priority='500'>
>      <all state='ESTABLISHED'/>
>    </rule>
>    <rule action='accept' direction='out' priority='500'>
>      <all state='ESTABLISHED,RELATED'/>
>    </rule>
>    <rule action='accept' direction='in' priority='100'>
>      <ip dstipaddr='' dstipmask='24'/>
>    </rule>
>    <rule action='accept' direction='out' priority='100'>
>      <ip srcipaddr='' srcipmask='24'/>
>    </rule>
>    <rule action='drop' direction='inout' priority='500'>
>      <all/>
>    </rule>
> </filter>
> I then associated that filter with the Interface device on the VM
> server within KVM... and shutdown/restart that VM.
>   <interface type='network'>
>        <mac address='XX:XX:XX:XX:XX:XX'/>
>        <source network='locservers'/>
>        <model type='virtio'/>
>        <filterref filter='allow-virbr2-vpn'/>
>        <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
> function='0x0'/>
>      </interface>
> After this, nothing happens.  I did 'ebtables --list', and the new
> rules aren't there.

Try "ebtables -t nat -L", although as I said in the other message I just 
posted, it's not going to do what you need anyway, because these rules 
will be applied *in addition to* the network's iptables rules, not 
*instead of*.

More information about the libvirt-users mailing list