[fedora-virt] libvirtd and public access to guests

Richard W.M. Jones rjones at redhat.com
Thu Oct 8 14:09:25 UTC 2009


On Thu, Oct 08, 2009 at 01:09:35PM +0200, Pavel Lisy wrote:
> I've started playing with libvirt and I have question?

This question is probably better asked on libvir-list.

  https://www.redhat.com/mailman/listinfo/libvir-list

> What is proper way to make guest accessible from net. 
>
> I have mode=nat /var/lib/libvirt/network/default.xml. 
> 
> libvirtd makes this rules in FORWARD chain
> 
> -A FORWARD -d 192.168.231.0/24 -o virbr0 -m state --state
> RELATED,ESTABLISHED -j ACCEPT 
> -A FORWARD -s 192.168.231.0/24 -i virbr0 -j ACCEPT 
> -A FORWARD -i virbr0 -o virbr0 -j ACCEPT 
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable 
> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable 
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited 
> 
> If I add 
> iptables -I FORWARD -i eth0 -o virbr0 -j ACCEPT
> guests are accessible

An alternate way is to create your own bridge (however you want to
configure it), then make it a network that guests can see and connect
to, using commands like 'virsh net-create', 'virsh net-dumpxml' and
'virsh net-edit'.

The XML format is described here:

  http://libvirt.org/formatnetwork.html

> My question is:
> Is is possible write this somewhere to configuration? 
> 
> I've tried to put it in /etc/sysconfig/iptables but it libvirtd put his
> rules before mine.

I think libvirtd will trash your virbr0 definitions, so maybe setting
up your own bridge is a better idea.

Rich.

-- 
Richard Jones, Emerging Technologies, Red Hat  http://et.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/




More information about the Fedora-virt mailing list