[libvirt-users] Easy solution for custom firewall rules-
Laine Stump
laine at redhat.com
Mon Jun 3 16:55:06 UTC 2019
On 6/2/19 10:02 PM, Joshua Kramer wrote:
> Nakta wrote:
>> libvirts nwfilter module can achieve that.
>
> I read over those resources and I did what I thought would be correct,
> but it's not having any effect.
>
> I created a new nwfilter like this:
> <filter name='allow-virbr2-vpn' chain='ipv4' priority='-700'>
> <rule action='accept' direction='in' priority='500'>
> <all state='ESTABLISHED'/>
> </rule>
> <rule action='accept' direction='out' priority='500'>
> <all state='ESTABLISHED,RELATED'/>
> </rule>
> <rule action='accept' direction='in' priority='100'>
> <ip dstipaddr='192.168.8.0' dstipmask='24'/>
> </rule>
> <rule action='accept' direction='out' priority='100'>
> <ip srcipaddr='192.168.8.0' srcipmask='24'/>
> </rule>
> <rule action='drop' direction='inout' priority='500'>
> <all/>
> </rule>
> </filter>
>
> I then associated that filter with the Interface device on the VM
> server within KVM... and shutdown/restart that VM.
> <interface type='network'>
> <mac address='XX:XX:XX:XX:XX:XX'/>
> <source network='locservers'/>
> <model type='virtio'/>
> <filterref filter='allow-virbr2-vpn'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
> function='0x0'/>
> </interface>
>
> After this, nothing happens. I did 'ebtables --list', and the new
> rules aren't there.
Try "ebtables -t nat -L", although as I said in the other message I just
posted, it's not going to do what you need anyway, because these rules
will be applied *in addition to* the network's iptables rules, not
*instead of*.
More information about the libvirt-users
mailing list