[fedora-virt] bridge network with iptables running on host?
Tom Horsley
tom.horsley at att.net
Mon Aug 24 00:41:33 UTC 2009
On Sun, 23 Aug 2009 17:06:04 -0700
Dale Bewley wrote:
> On Fri, 2009-08-21 at 18:35 -0400, Tom Horsley wrote:
> > Do I have to tell the host to forward everything (rather than
> > forwarding nothing as I have it now?).
>
> You are going to need something like this:
> iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
>
> Take a peek in /var/lib/libvirt/iptables for the rules that libvirt
> inserts when you use a libvirt defined network.
Actually I finally discovered it was a combination of several
completely different things. I wasn't using the default libvirt
networking, so I didn't need any NAT related rule.
I was instead using a bridge I defined. So first
I had to discover what the heck the /etc/sysctl.conf
settings recommended in a few places actually meant to know
that I really did need:
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
to prevent my VMs from being filtered by my host's iptables.
(On the machine I was using at work, iptables aren't filtering
anything so these settings make no difference one way or another).
Then I had to discover that wasn't enough because I had an
iptables rule that used a "-i eth0" option, only now
all the traffic was going through "-i br0", that finally
allowed things like DNS lookups to work on the VMs (talking
to DNS server on host), but I still couldn't ssh to the
host from the VM.
Finally I discovered what the pattern "LOCAL" actually meant
when used in the /etc/hosts.allow file and changed it to
the local network IP range instead, and at last all networking
was functioning.
Quite a weekend puzzle solving game :-).
More information about the Fedora-virt
mailing list