[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [fedora-virt] libvirtd and public access to guests

On Thu, Oct 08, 2009 at 01:09:35PM +0200, Pavel Lisy wrote:
> Hello
> I've started playing with libvirt and I have question?
> What is proper way to make guest accessible from net. 

The shared physical device, bridging option is what you want
to use 


> I have mode=nat /var/lib/libvirt/network/default.xml. 

NAT is for outbound internet access only - it doesn't allow
for remote clients to connect to your VM.

> libvirtd makes this rules in FORWARD chain
> -A FORWARD -d -o virbr0 -m state --state
> -A FORWARD -s -i virbr0 -j ACCEPT 
> -A FORWARD -i virbr0 -o virbr0 -j ACCEPT 
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable 
> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable 
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited 
> If I add 
> iptables -I FORWARD -i eth0 -o virbr0 -j ACCEPT
> guests are accessible
> My question is:
> Is is possible write this somewhere to configuration? 
> I've tried to put it in /etc/sysconfig/iptables but it libvirtd put his
> rules before mine.
> I've found two directories
> /var/lib/libvirt/iptables/filter
> /var/lib/libvirt/iptables/nat
> I suppose I can write my rules here but I haven't find any docs about
> format. Can somebody help me with it?

You shouldn't try to overwrite/override libvirt's rules here, since libvirt
will likely just break your changes at some point. You really want to switch
to a bridged network config, instead of the NAT based one

|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]