[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] Virtual network iptables rules



Daniel P. Berrange wrote:
[...]

Scenario 2: Virtual network
===========================

  net.bridge.bridge-nf-call-iptables = 1

As far as I could tell, this case is exactly the same as scenario 1, except PHYSIN is available.

Type 1: Isolated virtual network
--------------------------------

Chain POSTROUTING (policy ACCEPT 273 packets, 26341 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 29 packets, 2244 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      vnet2   0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  vnet2  *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

So the thinking here is that FORWARD will only apply to packets from DomU to the internet. Since this is an isolated network, all packets trying to go out should be rejected. I'm a bit confused as to what "vnet2" is here. It seems that any traffic to/from virbr0 should be rejected.

The rules above seem like they might match the DomU <-> DomU case (wouldn't these go through the FORWARD chain also?) If DomUs should be allowed to talk to each other (and that in itself is a policy decision) then perhaps adding a rule to allow when in = virbr0 & out = virbr0?

Chain INPUT (policy ACCEPT 76724 packets, 366M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  vnet2  *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  vnet2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  vnet2  *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  vnet2  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67

So we have ACCEPT rules on a chain whose default policy is ACCEPT? Is there a later catch-all REJECT rule which I'm not seeing?

Type 2: Forwarding to a specific NIC only
-----------------------------------------

Chain POSTROUTING (policy ACCEPT 273 packets, 26341 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      eth1    192.168.200.0/24     0.0.0.0/0

Seems OK.

Chain FORWARD (policy ACCEPT 29 packets, 2244 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth1   vnet3   0.0.0.0/0            192.168.200.0/24    state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  vnet3  eth1    192.168.200.0/24     0.0.0.0/0
    0     0 REJECT     all  --  *      vnet3   0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  vnet3  *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Seems OK, except for the DomU <-> DomU case as above.

Chain INPUT (policy ACCEPT 76724 packets, 366M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  vnet3  *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  vnet3  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  vnet3  *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  vnet3  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67

Again I don't understand ACCEPT rules on a chain with default policy ACCEPT.

Type 3: Forwarding to any active NIC
------------------------------------

Same comments as for the type 2 case above.

Hopefully at least one person has read this far through the email and still
understands what is going on....

To some extent ...

Rich.

--
Emerging Technologies, Red Hat  http://et.redhat.com/~rjones/
64 Baker Street, London, W1U 7DF     Mobile: +44 7866 314 421

Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom.
Registered in England and Wales under Company Registration No. 3798903
Directors: Michael Cunningham (USA), Charlie Peters (USA) and David
Owens (Ireland)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]