Hi,

 

I wan’t to add iptables rules between existing rules and the rules created by  libvirt (forward type=nat).

I did try the hook

/etc/libvirt/hooks/network network_name start begin -

and
 
/etc/libvirt/hooks/network network_name started begin -

It seems like the libvirt iptables rules are already inserted when
this hook is executed.

Simply use –I instead of –A does not work either because the rules should be
inserted between the existing one and the libvirt rules. Also the custom rules should be deleted after
the hoook

/etc/libvirt/hooks/network network_name stopped end -

is executed.

Does a hook exists which is executed after the network is started but before the
libvirt rules are inserted?

Is it possible the use a custom chain for the libvirt iptables rules instead of directly writing
them into the INPUT chain?

I think of some thing like INPUT

VIRT_VIBR0     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0   
VIRT_VIBR0     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0    

and VIRT_VIBR0     
 
ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0
ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0
REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
 

thanks & regards
dieter