[fedora-virt] libvirtd and public access to guests
Richard W.M. Jones
rjones at redhat.com
Thu Oct 8 14:09:25 UTC 2009
On Thu, Oct 08, 2009 at 01:09:35PM +0200, Pavel Lisy wrote:
> I've started playing with libvirt and I have question?
This question is probably better asked on libvir-list.
https://www.redhat.com/mailman/listinfo/libvir-list
> What is proper way to make guest accessible from net.
>
> I have mode=nat /var/lib/libvirt/network/default.xml.
>
> libvirtd makes this rules in FORWARD chain
>
> -A FORWARD -d 192.168.231.0/24 -o virbr0 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 192.168.231.0/24 -i virbr0 -j ACCEPT
> -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>
> If I add
> iptables -I FORWARD -i eth0 -o virbr0 -j ACCEPT
> guests are accessible
An alternate way is to create your own bridge (however you want to
configure it), then make it a network that guests can see and connect
to, using commands like 'virsh net-create', 'virsh net-dumpxml' and
'virsh net-edit'.
The XML format is described here:
http://libvirt.org/formatnetwork.html
> My question is:
> Is is possible write this somewhere to configuration?
>
> I've tried to put it in /etc/sysconfig/iptables but it libvirtd put his
> rules before mine.
I think libvirtd will trash your virbr0 definitions, so maybe setting
up your own bridge is a better idea.
Rich.
--
Richard Jones, Emerging Technologies, Red Hat http://et.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/
More information about the Fedora-virt
mailing list