[fedora-virt] virbr0 messing with iptables rules?
Kenni Lund
kenni at kelu.dk
Wed Oct 21 11:47:52 UTC 2009
Hi
I just did a full system update on my F11 server, but after a reboot,
new rules were appended to my iptables setup.
The iptables and ip6tables services are both disabled:
# chkconfig |grep ip.*tables
ip6tables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
I set my iptables rules in a custom firewall script in /etc/rc.local,
which starts out by flushing all rules.
Eg. if I run the script manually after boot, it will "fix" the issue.
The extra rules appended are:
-----
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp
dpt:domain
ACCEPT tcp -- anywhere anywhere tcp
dpt:domain
ACCEPT udp -- anywhere anywhere udp
dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state
RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere
reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere
reject-with icmp-port-unreachable
-----
I suppose that these rules are related to libvirt, since I have a
virbr0 interface with the IP-address 192.168.122.1. Apparently the
update changed something, so these firewall rules are appended after
/etc/rc.local runs my custom firewall script.
What is the correct solution to this? In general, isn't it a bad
design decision to have a service mess with the iptables rules,
instead of doing this through the iptables/ip6tables services? I would
not expect other services to mess with my rules, when I explicitly
disabled the build-in iptables services.
I only use bridged networking for my virtual machines, so I don't
suppose that I need the virbr0 interface after all. Can I disable it
somewhere?
Best Regards
Kenni Lund
More information about the Fedora-virt
mailing list