Hi All,<br><br>I noticed that if I turn on the libvirtd service via chkconfig it ends up breaking my iptables by adding duplicated rules.<br><br>For you to have an idea here's the output of iptables-save -c after a reboot with libvirtd off:<br>
<br># Generated by iptables-save v1.4.5 on Mon Jan 25 19:34:39 2010<br>*nat<br>:PREROUTING ACCEPT [21:7584]<br>:POSTROUTING ACCEPT [21:1673]<br>:OUTPUT ACCEPT [21:1673]<br>[0:0] -A PREROUTING -d <a href="http://192.168.0.6/32" target="_blank">192.168.0.6/32</a> -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.118 <br>
[0:0] -A POSTROUTING -s <a href="http://192.168.122.0/24" target="_blank">192.168.122.0/24</a> ! -d <a href="http://192.168.122.0/24" target="_blank">192.168.122.0/24</a> -j MASQUERADE <br>COMMIT<br># Completed on Mon Jan 25 19:34:39 2010<br>
# Generated by iptables-save v1.4.5 on Mon Jan 25 19:34:39 2010<br>
*filter<br>:INPUT ACCEPT [0:0]<br>:FORWARD ACCEPT [0:0]<br>:OUTPUT ACCEPT [105:11066]<br>[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT <br>[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT <br>[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT <br>
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT <br>[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT <br>[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT <br>[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT <br>
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT <br>[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 80 -j ACCEPT <br>[0:0] -A INPUT -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT <br>[41:23909] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <br>
[0:0] -A INPUT -p icmp -j ACCEPT <br>[2:120] -A INPUT -i lo -j ACCEPT <br>[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT <br>[0:0] -A INPUT -p tcp -m tcp --dport 11201 -j ACCEPT <br>[0:0] -A INPUT -p udp -m udp --dport 11201 -j ACCEPT <br>
[36:6884] -A INPUT -j REJECT --reject-with icmp-host-prohibited <br>[0:0] -A FORWARD -d <a href="http://192.168.122.0/24" target="_blank">192.168.122.0/24</a> -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT <br>
[0:0] -A FORWARD -s <a href="http://192.168.122.0/24" target="_blank">192.168.122.0/24</a> -i virbr0 -j ACCEPT <br>
[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT <br>[0:0] -A FORWARD -i wlan0 -o virbr0 -p tcp -m tcp --dport 80 -j ACCEPT <br>[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable <br>[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable <br>
[0:0] -A FORWARD -j REJECT --reject-with icmp-host-prohibited <br>COMMIT<br># Completed on Mon Jan 25 19:34:39 2010<br><br>and this is the output of the same command after a reboot with libvirtd on:<br><br># Generated by iptables-save v1.4.5 on Mon Jan 25 19:46:03 2010<br>
*nat<br>:PREROUTING ACCEPT [6:965]<br>:POSTROUTING ACCEPT [50:3703]<br>:OUTPUT ACCEPT [52:4038]<br>[0:0] -A PREROUTING -d <a href="http://192.168.0.6/32" target="_blank">192.168.0.6/32</a> -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.118 <br>
[1:295] -A POSTROUTING -s <a href="http://192.168.122.0/24" target="_blank">192.168.122.0/24</a> ! -d <a href="http://192.168.122.0/24" target="_blank">192.168.122.0/24</a> -j MASQUERADE <br>[1:40] -A POSTROUTING -s <a href="http://192.168.122.0/24" target="_blank">192.168.122.0/24</a> ! -d <a href="http://192.168.122.0/24" target="_blank">192.168.122.0/24</a> -j MASQUERADE <br>
COMMIT<br># Completed on Mon Jan 25 19:46:03 2010<br># Generated by iptables-save v1.4.5 on Mon Jan 25 19:46:03 2010<br>*filter<br>:INPUT ACCEPT [0:0]<br>:FORWARD ACCEPT [0:0]<br>:OUTPUT ACCEPT [338:37036]<br>[1:74] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT <br>
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT <br>[1:328] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT <br>[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT <br>[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT <br>
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT <br>[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT <br>[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT <br>[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT <br>
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT <br>[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT <br>[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT <br>[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 80 -j ACCEPT <br>
[0:0] -A INPUT -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT <br>[190:99034] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <br>[0:0] -A INPUT -p icmp -j ACCEPT <br>[2:120] -A INPUT -i lo -j ACCEPT <br>[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT <br>
[0:0] -A INPUT -p tcp -m tcp --dport 11201 -j ACCEPT <br>[0:0] -A INPUT -p udp -m udp --dport 11201 -j ACCEPT <br>[78:13517] -A INPUT -j REJECT --reject-with icmp-host-prohibited <br>[0:0] -A FORWARD -d <a href="http://192.168.122.0/24" target="_blank">192.168.122.0/24</a> -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT <br>
[0:0] -A FORWARD -s <a href="http://192.168.122.0/24" target="_blank">192.168.122.0/24</a> -i virbr0 -j ACCEPT <br>[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT <br>[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable <br>
[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable <br>[0:0] -A FORWARD -d <a href="http://192.168.122.0/24" target="_blank">192.168.122.0/24</a> -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT <br>
[0:0] -A FORWARD -s <a href="http://192.168.122.0/24" target="_blank">192.168.122.0/24</a> -i virbr0 -j ACCEPT <br>
[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT <br>[0:0] -A FORWARD -i wlan0 -o virbr0 -p tcp -m tcp --dport 80 -j ACCEPT <br>[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable <br>[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable <br>
[0:0] -A FORWARD -j REJECT --reject-with icmp-host-prohibited <br>COMMIT<br># Completed on Mon Jan 25 19:46:03 2010<br><br>As you can see when the libvirtd daemon is up I end up with a number of duplicated entries ...<br>
<br>this is then content of /etc/sysconfig/iptables in both cases:<br><br># Generated by iptables-save v1.4.5 on Thu Jan 21 19:54:46 2010<br>*nat<br>:PREROUTING ACCEPT [24306:3491836]<br>:POSTROUTING ACCEPT [17614:1213585]<br>
:OUTPUT ACCEPT [16779:1092505]<br>-A PREROUTING -d <a href="http://192.168.0.6/32">192.168.0.6/32</a> -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.118 <br>-A POSTROUTING -s <a href="http://192.168.122.0/24">192.168.122.0/24</a> ! -d <a href="http://192.168.122.0/24">192.168.122.0/24</a> -j MASQUERADE <br>
COMMIT<br># Completed on Thu Jan 21 19:54:46 2010<br># Generated by iptables-save v1.4.5 on Thu Jan 21 19:54:46 2010<br>*filter<br>:INPUT ACCEPT [0:0]<br>:FORWARD ACCEPT [0:0]<br>:OUTPUT ACCEPT [544711:383016639]<br>-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT <br>
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT <br>-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT <br>-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT <br>-A INPUT -i virbr0 -p tcp -m tcp --dport 80 -j ACCEPT <br>
-A INPUT -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT <br>-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <br>-A INPUT -p icmp -j ACCEPT <br>-A INPUT -i lo -j ACCEPT <br>-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT <br>
-A INPUT -p tcp -m tcp --dport 11201 -j ACCEPT <br>-A INPUT -p udp -m udp --dport 11201 -j ACCEPT <br>-A INPUT -j REJECT --reject-with icmp-host-prohibited <br>-A FORWARD -d <a href="http://192.168.122.0/24">192.168.122.0/24</a> -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT <br>
-A FORWARD -s <a href="http://192.168.122.0/24">192.168.122.0/24</a> -i virbr0 -j ACCEPT <br>-A FORWARD -i virbr0 -o virbr0 -j ACCEPT <br>-A FORWARD -i wlan0 -o virbr0 -p tcp -m tcp --dport 80 -j ACCEPT <br>-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable <br>
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable <br>-A FORWARD -j REJECT --reject-with icmp-host-prohibited <br>COMMIT<br># Completed on Thu Jan 21 19:54:46 2010<br><br>Has anyone experienced this? Is there another file that libvirtd uses to manipulate iptables?<br>
<br>Thanks in advance,<br><br>Daniel<br>