[libvirt-users] Easy solution for custom firewall rules- is it possible?
nakata
nakata at geekpit.org
Fri May 31 14:42:53 UTC 2019
Hi,
libvirts nwfilter module can achieve that.
I'm currently working on opt-out patches to disable that functionality
if wished. I also don't use firewalld.
It's both paternalizing and annoying and takes away user flexilibity in
exchange for nothing.
anyways
Check the nwfilter page to write own filters for the beginning:
https://libvirt.org/formatnwfilter.html#nwfwrite
some more info:
https://www.redhat.com/archives/libvir-list/2010-June/msg00762.html
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-virtual_networking-applying_network_filtering
regards
Am Donnerstag, den 30.05.2019, 21:44 -0400 schrieb Joshua Kramer:
> Hello All-
>
> I've looked in several places and haven't found an answer to this
> question: is it possible to have libvirt add custom rules to iptables
> for virtual network interfaces? I took a look at the "Firewall and
> Network Filtering in Libvirt" page and it seems overly complicated
> for
> what I want to do.
>
> Given an interface virbr2 and its network 192.168.4.0/24, libvirt
> installs the following rules in iptables. Essentially, these rules
> will drop any packets for the interface virbr2 where the source or
> destination is not on the 192.168.4.0/24 network.
>
> -P FORWARD ACCEPT
> -A FORWARD -d 192.168.4.0/24 -o virbr2 -j ACCEPT
> -A FORWARD -s 192.168.4.0/24 -i virbr2 -j ACCEPT
> -A FORWARD -i virbr2 -o virbr2 -j ACCEPT
> -A FORWARD -o virbr2 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr2 -j REJECT --reject-with icmp-port-unreachable
>
> I have a VPN server on the 4/24 network- and it hands out addresses
> in
> the 8/24 network. So I would like libvirt to also create the
> following rules in iptables:
>
> -A FORWARD -d 192.168.8.0/24 -o virbr2 -j ACCEPT
> -A FORWARD -s 192.168.8.0/24 -i virbr2 -j ACCEPT
>
> I've tried creating direct rules in firewalld for the FORWARD_direct
> chain. Firewalld happily creates those rules, but they are never
> reached, because they fall AFTER the libvirt rules. I've also tried
> creating an IP address on the virbr2 interface in the 8/24 network,
> but that doesn't work either. How can I get this done?
>
> Thanks!!
> -JK
>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users at redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users
More information about the libvirt-users
mailing list