Re: [libvirt-users] Modify Iptables Rules (virbr0 & virbr1)
On 08/13/2013 06:31 AM, Laine Stump wrote:
Correct. That is a known problem since 2008:
https://bugzilla.redhat.com/show_bug.cgi?id=453580
Thanks Laine for confirming it is a known issue. I googled it a lot but
couldn't find that bugzilla entry.
Do you know if this is still the case with the upcoming Fedora 20 &
firewalld? (these rules are still being created)?
Due to the large amount of work required to fix it relative to the
apparent demand for a fix, it has remained unchanged.
I'm wondering if it really takes a lot of work. I think that by just
changing the order of the rules everything gets fixed. If we group the
rules *by functionality* instead of *by virtual-network* we can
accomplish a particular goal (drop communication between
virtual-networks or allow them):
(Notice that I did not insert or delete any rule; just changed the order):
- Allow communication between virtual-networks (regardless of direction):
http://fpaste.org/31729/
- Block communication between virtual-networks (except for the LAN):
http://fpaste.org/31731/
Note that if you want to have multiple virtual networks that can
communicate with each other, you can define all the networks as <forward
mode='route'/> (which gives them iptables rulesets that allow all access
in both directions), then add in appropriate "blanket" NAT rules
yourself in the host's iptables config.
Right, that's what I'm using now: just had to add a static route to my
home router in order for them to be able to use the net.
Again, thanks Laine for the feedback!
--
Jorge