[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt-users] Easy solution for custom firewall rules-



On 6/2/19 10:02 PM, Joshua Kramer wrote:
Nakta wrote:
libvirts nwfilter module can achieve that.

I read over those resources and I did what I thought would be correct,
but it's not having any effect.

I created a new nwfilter like this:
<filter name='allow-virbr2-vpn' chain='ipv4' priority='-700'>
   <rule action='accept' direction='in' priority='500'>
     <all state='ESTABLISHED'/>
   </rule>
   <rule action='accept' direction='out' priority='500'>
     <all state='ESTABLISHED,RELATED'/>
   </rule>
   <rule action='accept' direction='in' priority='100'>
     <ip dstipaddr='192.168.8.0' dstipmask='24'/>
   </rule>
   <rule action='accept' direction='out' priority='100'>
     <ip srcipaddr='192.168.8.0' srcipmask='24'/>
   </rule>
   <rule action='drop' direction='inout' priority='500'>
     <all/>
   </rule>
</filter>

I then associated that filter with the Interface device on the VM
server within KVM... and shutdown/restart that VM.
  <interface type='network'>
       <mac address='XX:XX:XX:XX:XX:XX'/>
       <source network='locservers'/>
       <model type='virtio'/>
       <filterref filter='allow-virbr2-vpn'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
     </interface>

After this, nothing happens.  I did 'ebtables --list', and the new
rules aren't there.

Try "ebtables -t nat -L", although as I said in the other message I just posted, it's not going to do what you need anyway, because these rules will be applied *in addition to* the network's iptables rules, not *instead of*.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]