[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [fedora-virt] bridge network with iptables running on host?
- From: Mark McLoughlin <markmc redhat com>
- To: Tom Horsley <tom horsley att net>
- Cc: "fedora-virt redhat com" <fedora-virt redhat com>
- Subject: Re: [fedora-virt] bridge network with iptables running on host?
- Date: Wed, 02 Sep 2009 16:09:28 +0100
(Sorry for the delay in replying)
On Sun, 2009-08-23 at 20:41 -0400, Tom Horsley wrote:
> On Sun, 23 Aug 2009 17:06:04 -0700
> Dale Bewley wrote:
>
> > On Fri, 2009-08-21 at 18:35 -0400, Tom Horsley wrote:
> > > Do I have to tell the host to forward everything (rather than
> > > forwarding nothing as I have it now?).
> >
> > You are going to need something like this:
> > iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
> >
> > Take a peek in /var/lib/libvirt/iptables for the rules that libvirt
> > inserts when you use a libvirt defined network.
>
> Actually I finally discovered it was a combination of several
> completely different things. I wasn't using the default libvirt
> networking, so I didn't need any NAT related rule.
>
> I was instead using a bridge I defined. So first
> I had to discover what the heck the /etc/sysctl.conf
> settings recommended in a few places actually meant to know
> that I really did need:
>
> net.bridge.bridge-nf-call-arptables = 0
> net.bridge.bridge-nf-call-ip6tables = 0
> net.bridge.bridge-nf-call-iptables = 0
>
> to prevent my VMs from being filtered by my host's iptables.
Note:
http://wiki.libvirt.org/page/Networking#Fedora.2FRHEL_Bridging
We used to recommend the "physdev-is-bridged" iptables rule, but now we
recommend disabling iptables on the bridge altogether. See:
https://bugzilla.redhat.com/512206
'bridge-nf-call-iptables = 0' will be the default with Fedora 12.
Cheers,
Mark.
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]