12:40 p.m.
Hello!
Since i could not find any information on the internet about this subject, i'm going
to try my luck on this list.
I'm trying to setup network-filter on a routed setup. I have a root-server at Hetzner,
a german hosting provider.
Along with my server i ordered a (/28) subnet to be able to setup dedicated IPs for my
virtual machines (KVM).
My Server is running Ubuntu 12.04 with libvirt 0.9.8 . Since Hetzner does not allow any
bridged traffic, i had
to setup a routed network. Currently my (via libvirt) defined network looks like this:
(lets assume my subnet is 1.2.3.64/28):
<network>
<name>hetzner-subnet-v4</name>
<forward dev='eth0' mode='route'>
<interface dev='eth0'/>
</forward>
<bridge name='route-br0' stp='off' delay='0' />
<mac address='52:54:00:F0:D0:AA'/>
<ip address='1.2.3.65' netmask='255.255.255.240'></ip>
</network>
The network definition for all running VMs looks like this:
<interface type='network'>
<mac address='52:54:00:00:00:##'/>
<source network='hetzner-subnet-v4'/>
</interface>
Without using Network-Filters, this setup is running as expected. All traffic is correctly
forwarded to my virtual
machines connected to "route-br0" and the following iptables-rules are created
in the FORWARD Chain:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
target prot opt in out source destination
ACCEPT all -- eth0 route-br0 0.0.0.0/0 1.2.3.64/28
ACCEPT all -- route-br0 eth0 1.2.3.64/28 0.0.0.0/0
ACCEPT all -- route-br0 route-br0 0.0.0.0/0 0.0.0.0/0
REJECT all -- * route-br0 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
REJECT all -- route-br0 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
When i try to setup a network-filter for a VM (a modified version of
http://libvirt.org/formatnwfilter.html last example):
<filter name='server-x' chain='root'>
<filterref filter='clean-traffic'/>
<rule action='accept' direction='in' priority='500'>
<all state='ESTABLISHED'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<all state='ESTABLISHED,RELATED'/>
</rule>
<rule action='accept' direction='in' priority='500'>
<tcp state='NEW' dstportstart='22'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<all state='NEW'/>
</rule>
<rule action='drop' direction='inout' priority='500'>
<all/>
</rule>
</filter>
and adding the filter to my interface-definition of a VM using the following syntax:
<filterref filter='server-x'>
<parameter name='IP' value='1.2.3.70'/>
</filterref>
additional iptable-rules are getting created. The problematic rule seems to be the
following:
-A libvirt-out -m physdev --physdev-out vnetX -g FO-vnetX
which should trigger the following rules:
-A FO-vnetX -p all -m state --state ESTABLISHED -j ACCEPT
-A FO-vnetX -p tcp --dport 22 -m state --state NEW -j ACCEPT
But this actually never happens. The FO-vnetX Chain never sees any packets and my syslog
says:
xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for
non-bridged traffic is not supported anymore
Am i doing something wrong? I hope i did not write too much useless stuff here. I'm
tried to figure it all out by
myself, but im currently stuck. Lets hope some wise guys can help me out here. Maybe there
is some documentation i have missed?
Thanks!
kind regards,
Sebastian