Libvirt overwrites the existing iptables rules
From WBITT's Cooker!
(Difference between revisions)
(→XEN overwrites existing iptables rules) |
|||
| Line 7: | Line 7: | ||
* http://wiki.libvirt.org/page/Networking | * http://wiki.libvirt.org/page/Networking | ||
* http://libvirt.org/formatnetwork.html#examplesPrivate | * http://libvirt.org/formatnetwork.html#examplesPrivate | ||
| + | |||
| + | ===Objective / goal of this document=== | ||
| + | |||
| + | The objective of this document is to identify/clarify the following: | ||
| + | * What are these specific iptable rules? | ||
| + | * Does it matter if we lose these rules? | ||
| + | * Does it matter when we have our virtual machines on a bridged interface, connecting directly to our physical LAN, <b>xenbr0</b> or <b>br0</b>? | ||
| + | * Does it matter when we have our virtual machines connected only on the private network inside the physical host, <b>virbr0</b>? | ||
| + | * How do we circumvent any problems related to this scenario? | ||
| + | |||
| + | ===The details==== | ||
| + | It is observed, that systems which provide KVM or XEN virtualization technologies, sometimes have their iptables firewall rules changed automatically in Dom-0, overwritten by another set of rules. | ||
| + | |||
| + | Note: KVM doesn't have Dom-0. The base OS on the physical host will also be considered Dom-0 for ease of understanding. (Please. No flame war on this one.). I will use "Physical Host" and "Dom-0" interchangeably for ease of understanding, for a system which hosts one or more virtual machines. | ||
| + | |||
| + | This happens only on those systems, which run libvirtd service. Mistakenly, many people think this is XEN problem. Whereas it is not. First, I would explain, what is the default iptables firewall ruleset on the physical host. | ||
| + | |||
| + | ====The default iptables rules on a physical host==== | ||
| + | |||
| + | Here is a default iptables rule-set from a Fedora13 physical host. | ||
| + | |||
| + | <pre> | ||
| + | [root@training ~]# iptables -L | ||
| + | Chain INPUT (policy ACCEPT) | ||
| + | target prot opt source destination | ||
| + | ACCEPT udp -- anywhere anywhere udp dpt:domain | ||
| + | ACCEPT tcp -- anywhere anywhere tcp dpt:domain | ||
| + | ACCEPT udp -- anywhere anywhere udp dpt:bootps | ||
| + | ACCEPT tcp -- anywhere anywhere tcp dpt:bootps | ||
| + | |||
| + | Chain FORWARD (policy ACCEPT) | ||
| + | target prot opt source destination | ||
| + | ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED | ||
| + | ACCEPT all -- 192.168.122.0/24 anywhere | ||
| + | ACCEPT all -- anywhere anywhere | ||
| + | REJECT all -- anywhere anywhere reject-with icmp-port-unreachable | ||
| + | REJECT all -- anywhere anywhere reject-with icmp-port-unreachable | ||
| + | |||
| + | Chain OUTPUT (policy ACCEPT) | ||
| + | target prot opt source destination | ||
| + | |||
| + | |||
| + | [root@training ~]# iptables -L -t nat | ||
| + | Chain PREROUTING (policy ACCEPT) | ||
| + | target prot opt source destination | ||
| + | |||
| + | Chain POSTROUTING (policy ACCEPT) | ||
| + | target prot opt source destination | ||
| + | MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24 | ||
| + | |||
| + | Chain OUTPUT (policy ACCEPT) | ||
| + | target prot opt source destination | ||
| + | </pre> | ||
| + | |||
| + | Let's save these rules in a file, so we can load the defaults any time we need to. | ||
| + | |||
| + | <pre> | ||
| + | [root@training ~]# iptables-save > /root/iptables.default.txt | ||
| + | </pre> | ||
| + | |||
| + | I will show you these rules from this file for easier understanding: | ||
| + | |||
| + | <pre> | ||
| + | [root@training ~]# cat /root/iptables.default.txt | ||
| + | # Generated by iptables-save v1.4.7 on Sun Jul 11 19:51:07 2010 | ||
| + | *nat | ||
| + | :PREROUTING ACCEPT [661:21364] | ||
| + | :POSTROUTING ACCEPT [58069:3670258] | ||
| + | :OUTPUT ACCEPT [58069:3670258] | ||
| + | -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE | ||
| + | COMMIT | ||
| + | # Completed on Sun Jul 11 19:51:07 2010 | ||
| + | # Generated by iptables-save v1.4.7 on Sun Jul 11 19:51:07 2010 | ||
| + | *filter | ||
| + | :INPUT ACCEPT [1212620:674141323] | ||
| + | :FORWARD ACCEPT [0:0] | ||
| + | :OUTPUT ACCEPT [1518464:780474182] | ||
| + | -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT | ||
| + | -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT | ||
| + | -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT | ||
| + | -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT | ||
| + | -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
| + | -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT | ||
| + | -A FORWARD -i virbr0 -o virbr0 -j ACCEPT | ||
| + | -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable | ||
| + | -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable | ||
| + | COMMIT | ||
| + | # Completed on Sun Jul 11 19:51:07 2010 | ||
| + | [root@training ~]# | ||
| + | </pre> | ||
| + | |||
| + | Below is what happens to these rules, when a virtual machine (on private network, virbr0) is started on this physical host. | ||
| + | |||
| + | <pre> | ||
| + | [root@training ~]# iptables -L | ||
| + | Chain INPUT (policy ACCEPT) | ||
| + | target prot opt source destination | ||
| + | ACCEPT udp -- anywhere anywhere udp dpt:domain | ||
| + | ACCEPT tcp -- anywhere anywhere tcp dpt:domain | ||
| + | ACCEPT udp -- anywhere anywhere udp dpt:bootps | ||
| + | ACCEPT tcp -- anywhere anywhere tcp dpt:bootps | ||
| + | |||
| + | Chain FORWARD (policy ACCEPT) | ||
| + | target prot opt source destination | ||
| + | ^[[AACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED | ||
| + | ACCEPT all -- 192.168.122.0/24 anywhere | ||
| + | ACCEPT all -- anywhere anywhere | ||
| + | REJECT all -- anywhere anywhere reject-with icmp-port-unreachable | ||
| + | REJECT all -- anywhere anywhere reject-with icmp-port-unreachable | ||
| + | |||
| + | Chain OUTPUT (policy ACCEPT) | ||
| + | target prot opt source destination | ||
| + | [root@training ~]# iptables -L -t nat | ||
| + | Chain PREROUTING (policy ACCEPT) | ||
| + | target prot opt source destination | ||
| + | |||
| + | Chain POSTROUTING (policy ACCEPT) | ||
| + | target prot opt source destination | ||
| + | MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24 | ||
| + | |||
| + | Chain OUTPUT (policy ACCEPT) | ||
| + | target prot opt source destination | ||
| + | [root@training ~]# | ||
| + | </pre> | ||
Revision as of 17:18, 11 July 2010
Contents |
XEN overwrites the existing iptables rules
Not exactly. It is libvirt which is the culprit, not XEN.
- https://bugzilla.redhat.com/show_bug.cgi?id=227011
- http://lists.fedoraproject.org/pipermail/virt/2010-January/001792.html
- http://forums.gentoo.org/viewtopic-p-6209192.html?sid=1089acac70de96d68aa856d758d7cdfe
- http://wiki.libvirt.org/page/Networking
- http://libvirt.org/formatnetwork.html#examplesPrivate
Objective / goal of this document
The objective of this document is to identify/clarify the following:
- What are these specific iptable rules?
- Does it matter if we lose these rules?
- Does it matter when we have our virtual machines on a bridged interface, connecting directly to our physical LAN, xenbr0 or br0?
- Does it matter when we have our virtual machines connected only on the private network inside the physical host, virbr0?
- How do we circumvent any problems related to this scenario?
The details=
It is observed, that systems which provide KVM or XEN virtualization technologies, sometimes have their iptables firewall rules changed automatically in Dom-0, overwritten by another set of rules.
Note: KVM doesn't have Dom-0. The base OS on the physical host will also be considered Dom-0 for ease of understanding. (Please. No flame war on this one.). I will use "Physical Host" and "Dom-0" interchangeably for ease of understanding, for a system which hosts one or more virtual machines.
This happens only on those systems, which run libvirtd service. Mistakenly, many people think this is XEN problem. Whereas it is not. First, I would explain, what is the default iptables firewall ruleset on the physical host.
The default iptables rules on a physical host
Here is a default iptables rule-set from a Fedora13 physical host.
[root@training ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@training ~]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24 Chain OUTPUT (policy ACCEPT) target prot opt source destination
Let's save these rules in a file, so we can load the defaults any time we need to.
[root@training ~]# iptables-save > /root/iptables.default.txt
I will show you these rules from this file for easier understanding:
[root@training ~]# cat /root/iptables.default.txt # Generated by iptables-save v1.4.7 on Sun Jul 11 19:51:07 2010 *nat :PREROUTING ACCEPT [661:21364] :POSTROUTING ACCEPT [58069:3670258] :OUTPUT ACCEPT [58069:3670258] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE COMMIT # Completed on Sun Jul 11 19:51:07 2010 # Generated by iptables-save v1.4.7 on Sun Jul 11 19:51:07 2010 *filter :INPUT ACCEPT [1212620:674141323] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1518464:780474182] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Sun Jul 11 19:51:07 2010 [root@training ~]#
Below is what happens to these rules, when a virtual machine (on private network, virbr0) is started on this physical host.
[root@training ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ^[[AACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@training ~]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24 Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@training ~]#
