On 09/22/2010 02:49 PM, Daniel P. Berrange wrote:
On a recent installation of FC13, the filtering of IP/IPv6 using iptables/ip6tables traffic did not work since the proc filesystem entries /proc/sys/net/bridge/bridge-nf-call-iptables and /proc/sys/net/bridge/bridge-nf-call-ip6tables contained a zero each and no traffic went into the FORWARD chain. The patch below makes sure that if iptables or ip6tables are being used by the nwfilter driver that a '1' is written into the relevant proc filesystem entry so that the traffic goes into the FORWARD chain. NACK to this. We need to figure out how to make this filtering work with them set to 0. The change to set them to 0 by default is explicitly done for the benefit of virtualization, otherwise guest traffic gets blocked by regular host firewall rules which is not desirable. eg run system-config-firewall and block ssh
On Wed, Sep 22, 2010 at 02:19:31PM -0400, Stefan Berger wrote: port on the host, and you've blocked it on all the guests too :-(
The ssh port blocking for the host is a rule that goes into the INPUT table. That is independent of what libvirt does with the FORWARD table and this host rule would not influence the guest rules and vice versa. Traffic destined to bridged guests will NOT go through the INPUT table, only traffic from guests towards their own host will go through it. Regards, Stefan
Daniel