On Thu, Mar 27, 2008 at 03:35:54PM -0500, Charles Duffy wrote:
Daniel P. Berrange wrote:
>Instead of having the separate ACCEPT rule I think it would be sufficient
>to replace the 0.0.0.0/0 target with ! 192.168.65.0/24, eg
>
>iptables -t nat -A POSTROUTING
> --source 192.168.65.0/24
> --destination ! 192.168.65.0/24
> -j MASQUERADE
>
>so it will masquerade traffic which is leaving the ip range of the virtual
>network only, and leave ip traffic between the VMs & VM<->host alone.
I considered that -- but while it will work as long as the default
forward rule is ACCEPT, it could result in hosts being unable to
communicate with each other if the default rule for the table is otherwise.
The default rule shouldn't come into play, because we add explicit rules
to allow direct guest<->guest and guest<->host traffic already
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24
state RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Regards,
Dan.
--
|: Red Hat, Engineering, Boston -o-
http://people.redhat.com/berrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org -o-
http://ovirt.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|