[virt-tools-list] iptables rules created by libvirt

Ratliff, John jdratlif at iu.edu
Thu May 3 12:55:03 UTC 2018

I used your second link to write a perl script to do what I wanted.


John Ratliff   | Pervasive Technology Institute | UITS | Research Storage - 
Indiana University | http://pti.iu.edu/

-----Original Message-----
From: Pavel Hrdina <phrdina at redhat.com>
Sent: Thursday, May 3, 2018 4:43 AM
To: Ratliff, John <jdratlif at iu.edu>
Cc: virt-tools-list at redhat.com
Subject: Re: [virt-tools-list] iptables rules created by libvirt

On Thu, May 03, 2018 at 12:51:06AM +0000, Ratliff, John wrote:
> I want to use NAT forwarding to forward some ports on my kvm host to
> my guests. There is a rule that libvirt is creating that rejects this
> traffic, and it gets recreated every time the network is updated.
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
> My FORWARD policy is set to DROP, so I'd like to just remove this
> rule, but I don't understand where it's coming from.

Hi, here you can read about libvirt networking and how it works [1].

> I'm using kvm/qemu/libvirt on a RedHat 7.5 host.
> It's not clear to me whether anything is using any of the nwfilter
> rules. I haven't added any, and I don't see any referenced in any of
> my domain xml dumps or the network xml dump.
> Can I get libvirt to stop adding this rule, or even any firewall rules
> and I'll do it myself?

There is no need to change this behavior, you can use QEMU guest hook where 
you can add your own iptables rules [2].


[1] <https://libvirt.org/firewall.html>
[2] <https://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5670 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/virt-tools-list/attachments/20180503/e15a7635/attachment.p7s>

More information about the virt-tools-list mailing list