[virt-tools-list] iptables rules created by libvirt

Pavel Hrdina phrdina at redhat.com
Thu May 3 08:43:05 UTC 2018

On Thu, May 03, 2018 at 12:51:06AM +0000, Ratliff, John wrote:
> I want to use NAT forwarding to forward some ports on my kvm host to my
> guests. There is a rule that libvirt is creating that rejects this traffic,
> and it gets recreated every time the network is updated.
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
> My FORWARD policy is set to DROP, so I'd like to just remove this rule, but
> I don't understand where it's coming from.

Hi, here you can read about libvirt networking and how it works [1].

> I'm using kvm/qemu/libvirt on a RedHat 7.5 host.
> It's not clear to me whether anything is using any of the nwfilter rules. I
> haven't added any, and I don't see any referenced in any of my domain xml
> dumps or the network xml dump.
> Can I get libvirt to stop adding this rule, or even any firewall rules and
> I'll do it myself?

There is no need to change this behavior, you can use QEMU guest hook
where you can add your own iptables rules [2].


[1] <https://libvirt.org/firewall.html>
[2] <https://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/virt-tools-list/attachments/20180503/bbfd821e/attachment.sig>

More information about the virt-tools-list mailing list