Re: [libvirt-users] Best practice for custom iptables rules
On 01/08/2014 01:43 PM, ZeroUno wrote:
Hi,
I'm using libvirt to manage some VMs on a CentOS host, and I need some
custom iptables rules to always be in place for some communications to
happen, e.g. between the VMs and the outside world in both directions.
Some of these rules need to be at the top of the iptables chain,
otherwise the default rules added by libvirt would block the
communications I need.
So I cannot just add the rules in /etc/sysconfig/iptables, because
libvirt adds its own rules _before_ the rules contained in this config
file.
I was looking at filters, but maybe not every rule can be made into a
filter?
Specifically, I need a rule for the POSTROUTING chain in the "nat"
table. Can it be added through filters?
Correct. nwfilter can't add rules to the nat table.
Also, regarding the "iptables restart problem" described in the last
paragraph at <http://libvirt.org/firewall.html>;, is there really no
acceptable way to make libvirt add its rules back automatically upon
iptables/network restart?
Take a look at this, it may help you:
http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections
(Recently libvirt gained the ability for an application to register
functions that will be called when a network is
defined/undefined/started/stopped, but using that would require an
application to be running which registered the necessary callback
functions; not nearly as simple as stuffing a shell script into
/etc/libvirt/hooks (should we do that? Or are the shell script hooks
considered passe with the advent of event callbacks?))