[libvirt-users] port forwarding
Hi, I'm using CentOS release 5.6 (Final) and Xen 3.1. I'm writing to ask how to configure port forwarding. With virt-manager 0.6.1 I added the machines, but there I don't see an option for port forwarding. I would like to reach the VM on a specific port of the host machine. Once the machinces are running, I can configure iptables so that the port forwarding works, but after host reboots, other rules are inserted (put in front of my rules), which disable my rules. I guess these rules are put by libvirt, and so I'm writing to this list. These are the rules inserted: Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable I need to have a different rules for 192.168.122.0/24: the states RELATED,ESTABLISHED are fine, but I need the NEW state put there too, so that the new forwards can go through. Thanks, Irek -- Ireneusz (Irek) Szczesniak http://www.irkos.org
On 04/28/2011 09:15 AM, Ireneusz Szcześniak wrote:
Hi,
I'm using CentOS release 5.6 (Final) and Xen 3.1. I'm writing to ask how to configure port forwarding. With virt-manager 0.6.1 I added the machines, but there I don't see an option for port forwarding.
I would like to reach the VM on a specific port of the host machine. Once the machinces are running, I can configure iptables so that the port forwarding works, but after host reboots, other rules are inserted (put in front of my rules), which disable my rules. I guess these rules are put by libvirt, and so I'm writing to this list.
Yes, these rules are put in by libvirt. The iptables rules added by libvirt for virtual networks are intended to fulfill the needs of 95% of users, but are not configurable. To do what you want, you'll either need to construct your own bridge (rather than relying on libvirt) and do all the iptables and routing config outside of libvirt, or you may be able to use libvirt execution hooks to add the rules at the appropriate time. See: http://www.libvirt.org/hooks.html for details on libvirt hook scripts.
These are the rules inserted:
Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
I need to have a different rules for 192.168.122.0/24: the states RELATED,ESTABLISHED are fine, but I need the NEW state put there too, so that the new forwards can go through.
Thanks, Irek
On Thu, Apr 28, 2011 at 10:41:11AM -0400, Laine Stump wrote:
On 04/28/2011 09:15 AM, Ireneusz Szcześniak wrote:
I would like to reach the VM on a specific port of the host machine. Once the machinces are running, I can configure iptables so that the port forwarding works, but after host reboots, other rules are inserted (put in front of my rules), which disable my rules. I guess these rules are put by libvirt, and so I'm writing to this list.
Yes, these rules are put in by libvirt.
The iptables rules added by libvirt for virtual networks are intended to fulfill the needs of 95% of users, but are not configurable. To do what you want, you'll either need to construct your own bridge (rather than relying on libvirt) and do all the iptables and routing config outside of libvirt, or you may be able to use libvirt execution hooks to add the rules at the appropriate time. See: http://www.libvirt.org/hooks.html for details on libvirt hook scripts.
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
If all you need to do is change that one rule to "NEW,RELATED,ESTABLISHED" iptables has an option to replace a rule. Sorry I don't have the syntax at my fingertips, but it should be simple enough to modify the rule on system startup after libvirt has built the initial ruleset, perhaps in rc.local. Whit
On 04/28/2011 10:56 AM, Whit Blauvelt wrote:
On Thu, Apr 28, 2011 at 10:41:11AM -0400, Laine Stump wrote:
On 04/28/2011 09:15 AM, Ireneusz Szcześniak wrote:
I would like to reach the VM on a specific port of the host machine. Once the machinces are running, I can configure iptables so that the port forwarding works, but after host reboots, other rules are inserted (put in front of my rules), which disable my rules. I guess these rules are put by libvirt, and so I'm writing to this list. Yes, these rules are put in by libvirt.
The iptables rules added by libvirt for virtual networks are intended to fulfill the needs of 95% of users, but are not configurable. To do what you want, you'll either need to construct your own bridge (rather than relying on libvirt) and do all the iptables and routing config outside of libvirt, or you may be able to use libvirt execution hooks to add the rules at the appropriate time. See: http://www.libvirt.org/hooks.html for details on libvirt hook scripts.
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED If all you need to do is change that one rule to "NEW,RELATED,ESTABLISHED" iptables has an option to replace a rule.
This would have the side effect of generating a warning log the next time libvirt brought down the network, and would also leave around the old rule (libvirt remove's its rules when the network is stopped by describing exactly the rule it created; if that exact rule doesn't exist when the network is being stopped, it will give a warning, and also not remove this "similar but different" rule).
Sorry I don't have the syntax at my fingertips, but it should be simple enough to modify the rule on system startup after libvirt has built the initial ruleset, perhaps in rc.local.
That would be overridden any time libvirtd was restarted, or the virtual network in question was stopped/restarted. That's why I suggested looking into libvirt's hooks - with the proper hook, the extra iptables commands could happen exactly when needed (I haven't checked to see if "the proper hook" exists, but if not then "patches welcome" :-)
Whit _______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
Hi Laine and Whit, Thank you for the information. I will look into hooks -- this looks like the right choice. Best, Irek On 28.04.2011 18:15, Laine Stump wrote:
On 04/28/2011 10:56 AM, Whit Blauvelt wrote:
On Thu, Apr 28, 2011 at 10:41:11AM -0400, Laine Stump wrote:
On 04/28/2011 09:15 AM, Ireneusz Szcześniak wrote:
I would like to reach the VM on a specific port of the host machine. Once the machinces are running, I can configure iptables so that the port forwarding works, but after host reboots, other rules are inserted (put in front of my rules), which disable my rules. I guess these rules are put by libvirt, and so I'm writing to this list. Yes, these rules are put in by libvirt.
The iptables rules added by libvirt for virtual networks are intended to fulfill the needs of 95% of users, but are not configurable. To do what you want, you'll either need to construct your own bridge (rather than relying on libvirt) and do all the iptables and routing config outside of libvirt, or you may be able to use libvirt execution hooks to add the rules at the appropriate time. See: http://www.libvirt.org/hooks.html for details on libvirt hook scripts.
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED If all you need to do is change that one rule to "NEW,RELATED,ESTABLISHED" iptables has an option to replace a rule.
This would have the side effect of generating a warning log the next time libvirt brought down the network, and would also leave around the old rule (libvirt remove's its rules when the network is stopped by describing exactly the rule it created; if that exact rule doesn't exist when the network is being stopped, it will give a warning, and also not remove this "similar but different" rule).
Sorry I don't have the syntax at my fingertips, but it should be simple enough to modify the rule on system startup after libvirt has built the initial ruleset, perhaps in rc.local.
That would be overridden any time libvirtd was restarted, or the virtual network in question was stopped/restarted. That's why I suggested looking into libvirt's hooks - with the proper hook, the extra iptables commands could happen exactly when needed (I haven't checked to see if "the proper hook" exists, but if not then "patches welcome" :-)
Whit _______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
-- Ireneusz (Irek) Szczesniak http://www.irkos.org
participants (3)
-
Ireneusz Szcześniak -
Laine Stump -
Whit Blauvelt