[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [virt-tools-list] iptables rate limiting for bridged connection (kvm created bridge)



 On 10/27/2010 09:20 AM, Tapas Mishra wrote:
I have a KVM host set up with 4 VMs running on top of it (the server
has 4 lan cards and only one is currently active)
in  ifconfig -a
I see vnet0,vnet1,vnet2,vnet2

1) What are these vnet0,vnet1,vnet2,vnet2 which I see I used
kvm and virt-manager to create a bridged setup.
virt-manager created four interfaces all in same bridge or one bridge
as vmnet1 and rest VMs are using this.

2) When limiting rate of incoming connections what should I specify
interface in place of eth0 following rule definitely will not work

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --update --seconds 90 --hitcount 5 --name DEFAULT --rsource -j
DROP

Create bridges for the other interfaces and simply assign them to VMs.

When dealing with bridges it important to remember that the /etc/sysconfig/network-scripts/ifcfg-* files are executed in alphabetical order.

That means that br0 will try to come up before eth0 which can break things. :)

For bridges that want to add an already working interface, the bridge needs to be created after the interface comes up.

We usually create ifcfg-zbr0 with br0 defined inside it. That way eth0 comes up and then gets added to the new bridge br0.

Like this:

# cat ifcfg-zbr0
DEVICE=br0
ONBOOT=yes
TYPE=BRIDGE
BOOTPROTO=none

Interfaces that only host VM connections, do not need to have an IP assigned.

Here is an eth1 dedicated to VM(s).

# cat ifcfg-eth1
DEVICE=eth1
BOOTPROTO=static
TYPE=Ethernet
BRIDGE=br1
ONBOOT=yes

and the bridge:

# cat ifcfg-zbr1
DEVICE=br1
ONBOOT=yes
TYPE=BRIDGE
BOOTPROTO=none

Good Luck!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]