[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libvir] iptables masquerade rule overexpansive



On my system, libvirt-0.4.0-2ubuntu6 added the following rule to allow my virtual hosts NATted access to the outside world:

Chain POSTROUTING (policy ACCEPT 33904 packets, 2146K bytes)
 pkts bytes target     prot opt in     out     source               destination
  779  102K MASQUERADE  all  --  *      *       192.168.65.0/24      0.0.0.0/0

This resulted in *all* traffic being masqueraded, even between two different VMs -- preventing hostbased authentication between these VMs. To temporarily resolve this, I added an additional rule, as follows:

Chain POSTROUTING (policy ACCEPT 34049 packets, 2160K bytes)
 pkts bytes target     prot opt in     out     source               destination
  156  9752 ACCEPT     all  --  *      *       192.168.65.0/24      192.168.65.0/24
  865  109K MASQUERADE  all  --  *      *       192.168.65.0/24      0.0.0.0/0

The network definition being used was as follows:

<network>
  <name>default</name>
  <uuid>a7c5b18c-9d38-40ed-9b12-8b1a27013b85</uuid>
  <bridge name="virbr%d" />
  <forward/>
  <ip address="192.168.65.253" netmask="255.255.255.0"/>
</network>

I'm frankly unclear on why the packets attempted to forward through .253 in any event -- the routing tables on both VMs refer to 192.168.65.0/24 as part of the local network, so my expectation is that no attempt to route through the default gateway should have occurred.

In any event, having libvirt extend the MASQUERADE rule to avoid impacting traffic between hosts on the virtual network -- or adding a paired ACCEPT, as I did above -- would probably be a Good Thing.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]