[fedora-virt] virbr0 messing with iptables rules?

Mark McLoughlin markmc at redhat.com
Fri Oct 23 11:04:09 UTC 2009 

On Wed, 2009-10-21 at 13:47 +0200, Kenni Lund wrote:
> Hi
> 
> I just did a full system update on my F11 server, but after a reboot,
> new rules were appended to my iptables setup.
> 
> The iptables and ip6tables services are both disabled:
> # chkconfig |grep ip.*tables
> ip6tables       0:off   1:off   2:off   3:off   4:off   5:off   6:off
> iptables        0:off   1:off   2:off   3:off   4:off   5:off   6:off
> 
> I set my iptables rules in a custom firewall script in /etc/rc.local,
> which starts out by flushing all rules.
> Eg. if I run the script manually after boot, it will "fix" the issue.
> 
> The extra rules appended are:
> -----
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     udp  --  anywhere             anywhere            udp
> dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere            tcp
> dpt:domain
> ACCEPT     udp  --  anywhere             anywhere            udp
> dpt:bootps
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             192.168.122.0/24    state
> RELATED,ESTABLISHED
> ACCEPT     all  --  192.168.122.0/24     anywhere
> ACCEPT     all  --  anywhere             anywhere
> REJECT     all  --  anywhere             anywhere
> reject-with icmp-port-unreachable
> REJECT     all  --  anywhere             anywhere
> reject-with icmp-port-unreachable
> -----
> 
> I suppose that these rules are related to libvirt, since I have a
> virbr0 interface with the IP-address 192.168.122.1. Apparently the
> update changed something, so these firewall rules are appended after
> /etc/rc.local runs my custom firewall script.
> 
> What is the correct solution to this? In general, isn't it a bad
> design decision to have a service mess with the iptables rules,
> instead of doing this through the iptables/ip6tables services? I would
> not expect other services to mess with my rules, when I explicitly
> disabled the build-in iptables services.

Yeah, we're not happy with the way we're integrating with iptables. We
proposed one way of doing it and tried out the counter-proposal, but
we're back to square one again. The whole saga is documented here:

  https://bugzilla.redhat.com/227011

> I only use bridged networking for my virtual machines, so I don't
> suppose that I need the virbr0 interface after all. Can I disable it
> somewhere?

This should do it:

  $> virsh net-destroy default
  $> virsh net-autostart --disable default

Cheers,
Mark.

More information about the Fedora-virt mailing list