[libvirt-users] Best practice for custom iptables rules
Laine Stump
laine at laine.org
Wed Jan 8 15:17:07 UTC 2014
On 01/08/2014 01:43 PM, ZeroUno wrote:
> Hi,
> I'm using libvirt to manage some VMs on a CentOS host, and I need some
> custom iptables rules to always be in place for some communications to
> happen, e.g. between the VMs and the outside world in both directions.
>
> Some of these rules need to be at the top of the iptables chain,
> otherwise the default rules added by libvirt would block the
> communications I need.
> So I cannot just add the rules in /etc/sysconfig/iptables, because
> libvirt adds its own rules _before_ the rules contained in this config
> file.
>
> I was looking at filters, but maybe not every rule can be made into a
> filter?
> Specifically, I need a rule for the POSTROUTING chain in the "nat"
> table. Can it be added through filters?
Correct. nwfilter can't add rules to the nat table.
>
> Also, regarding the "iptables restart problem" described in the last
> paragraph at <http://libvirt.org/firewall.html>, is there really no
> acceptable way to make libvirt add its rules back automatically upon
> iptables/network restart?
Take a look at this, it may help you:
http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections
(Recently libvirt gained the ability for an application to register
functions that will be called when a network is
defined/undefined/started/stopped, but using that would require an
application to be running which registered the necessary callback
functions; not nearly as simple as stuffing a shell script into
/etc/libvirt/hooks (should we do that? Or are the shell script hooks
considered passe with the advent of event callbacks?))
More information about the libvirt-users
mailing list