Re: How can I control iptables/nftables rules addition on libvirtd host on Debian 12 ?
On 1/29/25 8:39 AM, oza.4h07(a)gmail.com wrote:
Hello,
When I install libvirt-daemon on a Debian 12 host, I can see the iptables rules below
beeing added.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
For some reason, I need to add a couple of other rules.
How can I do that ?
I assume you are actually using libvirt's "default" virtual network, and
that the rules you want to add are related to that network? If the rules
are unrelated, you can set them up however / wherever you like. But it
these rule are directly related to the virtual network created by
libvirt, then take a look at https://libvirt.org/hooks.html
You can add extra rules by creating the file /etc/libvirt/hooks/network
(which is a shell script) and running the appropriate nftables/iptables
commands there. The above linked page will show you how to construct the
script so that commands to add rules (or other stuff) are run when the
network starts, and other commands to remove/undo the rules/stuff are
run when the network is stopped.
(BTW, if your distro has libvirt 10.4.0 or newer, you can tell it to use
nftables rules rather than iptables - just add:
firewall_backend = "nftables"
to /etc/libvirt/network.conf)