At 5:49 PM -0500 3/13/07, Mikkel L. Ellertson wrote: >Tony Nelson wrote: >> At 1:26 PM -0500 3/13/07, Mikkel L. Ellertson wrote: >> >>> You would then create what ever firewall rules you with on >>> your virtual machine using the tap0 interface, just like you would >>> using eth0 if it were a stand-alone machine. You may have to add >>> rules to set the defaults on eth0 to accept in order to purge the >>> old rules. >> >> Actually, I don't think I'd need any rules at all for the VM, as it should >> be able to do its own firewalling -- and it does, I'm fighting with it now >> (and winning!). >> >Yes, the VM should have firewall rules based on what it calles tap0. It calls its interface eth0, of course. 8-) >But you need to make sure that the rule for eth0 on the real machine >accept all packets. If you are bringing up iptables before you are >creating the bridge, then it probably has rules and/or policies for >eth0. It is also possible to add rules for individual interfaces >that make up the bridge, but in this case, you will probably want >the bridge interfaces to accept everything. I'm reading Rusty Russell's Linux iptables HOWTO now. Section 5 says it works on IPs, not on interfaces. Thus, packets come in to the kernel from either end of the bridge; if they're for our IP, they then traverse the INPUT chain; if they're for another IP (the world or the sandbox), they traverse the FORWARD chain. I'll try to prove that tomorrow. >>> One thing you could try after the bridge is up is to run "service >>> iptables restart". This might reset the firewall rules to use br0 >>> instead of eth0. I don't think that's an issue. So far, my changes have worked instantly (or not at all :). >> FWIW, I have been doing "iptables --flush" and later "iptables-restore", >> and that doesn't unfilter the tap. I think, since the output of "iptables >> -vL" says "any" for the interface, that I'd have to make more specific >> rules. Maybe I'm starting to understand it. > >Keep in mind that running "iptables --flush" does not change the >default policy - it just deletes the (user defined) rules. Running >"service iptables stop" will also reset the default policies. The default policy is ACCEPT. >I am not sure, but I suspect that the rules in >/etc/sysconfig/iptables get evaluated differently if the bridge is up. I'm not sure either, and I'm too tired to try it now. Tomorrow I'll see if simply doing "iptables -F FORWARD" is all I need for the bridges tap0 to be unfirewalled. -- ____________________________________________________________________ TonyN.:' <mailto:tonynelson@xxxxxxxxxxxxxxxxx> ' <http://www.georgeanelson.com/>
