libvirtd and public access to guests
Didar Hossain
didar.hossain at gmail.com
Sat Oct 10 08:56:45 UTC 2009
On Thu, Oct 8, 2009 at 3:32 PM, Pavel Lisy <pali at tmapy.cz> wrote:
> Hello
>
> I've started playing with libvirt and I have question?
>
> What is proper way to make guest accessible from net.
>
> I have mode=nat /var/lib/libvirt/network/default.xml.
>
> libvirtd makes this rules in FORWARD chain
>
> -A FORWARD -d 192.168.231.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 192.168.231.0/24 -i virbr0 -j ACCEPT
> -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>
> If I add
> iptables -I FORWARD -i eth0 -o virbr0 -j ACCEPT
> guests are accessible
>
> My question is:
> Is is possible write this somewhere to configuration?
>
> I've tried to put it in /etc/sysconfig/iptables but it libvirtd put his
> rules before mine.
>
>
> I've found two directories
> /var/lib/libvirt/iptables/filter
> /var/lib/libvirt/iptables/nat
I was hoping someone with more experience would help you on this issue.
It is better to write your own rules than messing with these files
(/var/lib/libvirt).
The default network mode of libvirt is a private network behind NAT.
The guests are provided
an IP address via DHCP. If you want a guest to be accessible from the
Internet then you will
have to configure static IP in your guest, ensure that you give an IP
in the 192.168.231.0/24
range.
Then you will have to set up DNAT iptable rules. AFAIK, to prevent
libvirt from overriding your
rules, you should be using "-I" (INSERT) instead of "-A" (APPEND). Put
your rules in the file
/etc/sysconfig/iptables
This is the theory. I *do not* use libvirt. I use VDE for my
networking with command line KVM.
HTH,
Didar
More information about the users
mailing list