Answer the question
In order to leave comments, you need to log in
How and where to correctly register your iptables NAT rules in the host system in KVM?
Good afternoon,
there is a Centos 6.6 server, KVM / libvirt is installed on it, there are guest systems.
Out of habit, I write my necessary rules for NAT in /etc/sysconfig/iptables.
But when the server is restarted, the rules
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE
udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024
all -- 192.168.122.0/24 !192.168.122.0/24
which overwrite mine.
Please tell me how you can write your own rules and so that only they work
when the system is rebooted?
Answer the question
In order to leave comments, you need to log in
How to keep iptables rules after Ubuntu reboot? Maybe there is an answer
Didn't work with KVM, but logic tells me to find scripts that overwrite custom rules. If you can’t find it or you need to do it quickly, then you need to write your own script that will re-rewrite the rules.
You can implement it by writing a script in which all the rules are first thrown off and then the necessary ones are loaded. Insert this script into autoload after starting KVM.
Are you using nat to access the network for guests?
https://libvirt.org/firewall.html
The solution to the question is this:
Libvirtd hook to apply iptables rules
When installing KVM/qemu virtualization and using NAT, there is a problem with applying /etc/sysconfig/iptables rules. When the system boots, the iptables service starts at an early stage: /etc/rc3.d/S08iptables -> ../init.d/iptables
Then, at the end of the boot, libvirtd starts: /etc/rc3.d/S08iptables -> ../init. d/iptables which applies its default rules if NAT is used for guest OSes.
It might look like this:
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports:
1024-65UE535 MASQUERADE udp -- 192.168.122.0/24 - 192.168.122.0/24 !192.168.122.0/24
As a result, NAT rules do not work as they were applied in /etc/sysconfig/iptables.
The following is a solution for using hooks in libvirtd to restart the iptables service after libvirtd starts:
1. mkdir /etc/libvirt/hooks
2. vi /etc/libvirt/hooks/network
#!/bin/bash
# Libvirt hook, see: https:/ /www.libvirt.org/hooks.html
# for iptables reloading after host booted
if [ "$2" = "started" ]; then
/etc/init.d/iptables restart
fi;
exit0;
3. chmod 755 /etc/libvirt/hooks/network
That is, the iptables service is restarted after the libvirtd daemon is started, applying the iptables system rules.
Description of libvirt hooks:
www.libvirt.org/hooks.html
libvirt.org/formatnwfilter.html
wiki.libvirt.org/page/Networking#NAT_forwarding_.2...
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question