[libvirt-users] Inconsistent iptables forwarding rules for virtual networks?
Marwan Tanager
marwan.tngr at gmail.com
Wed Sep 26 03:18:35 UTC 2012
Hi everyone.
Those are the iptables forwarding rules associated with the two virtual networks
on my machine:
-----------------------------------------------------------------------------------------
-A FORWARD -d 192.168.100.0/24 -o virbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.100.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-----------------------------------------------------------------------------------------
Using this setup I can ping from a guest on 192.168.100.0/24 to a guest on
192.168.122.0/24, however the reverse is not possible (I get 'port unreachable'
icmp messages). This is caused by the fourth rule, which rejects packets
forwarded to virbr1.
Moving the fourth rule to the end, obviously eliminates this problem.
So, is this default setup intentional for some reason, or should the rules just
be rearranged by libvirt, so that any rule on the FORWARD chain which has a
REJECT target (which reject forwarding "to" some virtual interface) would go to
the end of the chain, and thus, allowing the virtual networks to reach each
other by default?
Thanks.
Marwan
More information about the libvirt-users
mailing list