On Thu, Mar 27, 2008 at 03:35:54PM -0500, Charles Duffy wrote:
Daniel P. Berrange wrote:
Instead of having the separate ACCEPT rule I think it would be sufficient to replace the 0.0.0.0/0 target with ! 192.168.65.0/24, eg
iptables -t nat -A POSTROUTING --source 192.168.65.0/24 --destination ! 192.168.65.0/24 -j MASQUERADE
so it will masquerade traffic which is leaving the ip range of the virtual network only, and leave ip traffic between the VMs & VM<->host alone.
I considered that -- but while it will work as long as the default forward rule is ACCEPT, it could result in hosts being unable to communicate with each other if the default rule for the table is otherwise.
The default rule shouldn't come into play, because we add explicit rules to allow direct guest<->guest and guest<->host traffic already 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 Regards, Dan. -- |: Red Hat, Engineering, Boston -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|