Re: [libvirt-users] Easy solution for custom firewall rules-
Nakta wrote:
libvirts nwfilter module can achieve that.
I read over those resources and I did what I thought would be correct, but it's not having any effect. I created a new nwfilter like this: <filter name='allow-virbr2-vpn' chain='ipv4' priority='-700'> <rule action='accept' direction='in' priority='500'> <all state='ESTABLISHED'/> </rule> <rule action='accept' direction='out' priority='500'> <all state='ESTABLISHED,RELATED'/> </rule> <rule action='accept' direction='in' priority='100'> <ip dstipaddr='192.168.8.0' dstipmask='24'/> </rule> <rule action='accept' direction='out' priority='100'> <ip srcipaddr='192.168.8.0' srcipmask='24'/> </rule> <rule action='drop' direction='inout' priority='500'> <all/> </rule> </filter> I then associated that filter with the Interface device on the VM server within KVM... and shutdown/restart that VM. <interface type='network'> <mac address='XX:XX:XX:XX:XX:XX'/> <source network='locservers'/> <model type='virtio'/> <filterref filter='allow-virbr2-vpn'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> After this, nothing happens. I did 'ebtables --list', and the new rules aren't there. I also did the same with iptables as well as firewalld itself. The new rules are nowhere to be found. What did I do incorrectly here? Thanks! -JK
On 6/2/19 10:02 PM, Joshua Kramer wrote:
Nakta wrote:
libvirts nwfilter module can achieve that.
I read over those resources and I did what I thought would be correct, but it's not having any effect.
I created a new nwfilter like this: <filter name='allow-virbr2-vpn' chain='ipv4' priority='-700'> <rule action='accept' direction='in' priority='500'> <all state='ESTABLISHED'/> </rule> <rule action='accept' direction='out' priority='500'> <all state='ESTABLISHED,RELATED'/> </rule> <rule action='accept' direction='in' priority='100'> <ip dstipaddr='192.168.8.0' dstipmask='24'/> </rule> <rule action='accept' direction='out' priority='100'> <ip srcipaddr='192.168.8.0' srcipmask='24'/> </rule> <rule action='drop' direction='inout' priority='500'> <all/> </rule> </filter>
I then associated that filter with the Interface device on the VM server within KVM... and shutdown/restart that VM. <interface type='network'> <mac address='XX:XX:XX:XX:XX:XX'/> <source network='locservers'/> <model type='virtio'/> <filterref filter='allow-virbr2-vpn'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface>
After this, nothing happens. I did 'ebtables --list', and the new rules aren't there.
Try "ebtables -t nat -L", although as I said in the other message I just posted, it's not going to do what you need anyway, because these rules will be applied *in addition to* the network's iptables rules, not *instead of*.
participants (2)
-
Joshua Kramer -
Laine Stump