[libvirt-users] libvirtd -- iptables

Hi All, I created a couple of virtual networks (forward mode=nat) in my rhel6-kvm box. I've come across 2 weird issues. 1. My Iptables rule chainset contains repeated rules. The same rule gets repeated block by block 2. For connecting to guest using SSH, I created a custom IPTables chain. I want this chain to be on top of the FORWARD chain, but everytime the libvirtd is restarted the rule comes to the bottom of the chain (Appended). Can anyone suggest me what the solution could be? My IPtable rules are given below: Let me know if any further info is needed. [root@santiago Packages]# iptables -L -n -v Chain INPUT (policy ACCEPT 41 packets, 5818 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- vbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- vbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * vbr0 0.0.0.0/0 10.10.0.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- vbr0 * 10.10.0.0/24 0.0.0.0/0 0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * vbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- vbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- * vbr1 0.0.0.0/0 10.10.1.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- vbr1 * 10.10.1.0/24 0.0.0.0/0 0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * vbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- vbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 5688 588K rhel-virt-forward-1 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * vbr0 0.0.0.0/0 10.10.0.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- vbr0 * 10.10.0.0/24 0.0.0.0/0 0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * vbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- vbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- * vbr1 0.0.0.0/0 10.10.1.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- vbr1 * 10.10.1.0/24 0.0.0.0/0 0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * vbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- vbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- * vbr0 0.0.0.0/0 10.10.0.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- vbr0 * 10.10.0.0/24 0.0.0.0/0 0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * vbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- vbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- * vbr1 0.0.0.0/0 10.10.1.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- vbr1 * 10.10.1.0/24 0.0.0.0/0 0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * vbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- vbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- * vbr0 0.0.0.0/0 10.10.0.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- vbr0 * 10.10.0.0/24 0.0.0.0/0 0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * vbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- vbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- * vbr1 0.0.0.0/0 10.10.1.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- vbr1 * 10.10.1.0/24 0.0.0.0/0 0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * vbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- vbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- * vbr0 0.0.0.0/0 10.10.0.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- vbr0 * 10.10.0.0/24 0.0.0.0/0 0 0 ACCEPT all -- vbr0 vbr0 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * vbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- vbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- * vbr1 0.0.0.0/0 10.10.1.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- vbr1 * 10.10.1.0/24 0.0.0.0/0 0 0 ACCEPT all -- vbr1 vbr1 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * vbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- vbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged Chain OUTPUT (policy ACCEPT 38 packets, 4234 bytes) pkts bytes target prot opt in out source destination Chain rhel-virt-forward-1 (1 references) pkts bytes target prot opt in out source destination 25 2100 ACCEPT icmp -- eth0 vbr1 0.0.0.0/0 0.0.0.0/0 3515 262K ACCEPT tcp -- eth0 vbr1 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT icmp -- eth0 vbr0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- eth0 vbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 **************Details about my virtual network interfaces are given below: [root@santiago Packages]# virsh net-list --all Name State Autostart ----------------------------------------- vir0 active yes vir1 active yes Thank you in advance. Regards, --Kurian.