Re: libvirtd and public access to guests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Didar Hossain wrote:

On Thu, Oct 8, 2009 at 3:32 PM, Pavel Lisy <pali@xxxxxxxx> wrote:

Hello

I've started playing with libvirt and I have question?

What is proper way to make guest accessible from net.

I have mode=nat /var/lib/libvirt/network/default.xml.

libvirtd makes this rules in FORWARD chain

-A FORWARD -d 192.168.231.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.231.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

If I add
iptables -I FORWARD -i eth0 -o virbr0 -j ACCEPT
guests are accessible

My question is:
Is is possible write this somewhere to configuration?

I've tried to put it in /etc/sysconfig/iptables but it libvirtd put his
rules before mine.


I've found two directories
/var/lib/libvirt/iptables/filter
/var/lib/libvirt/iptables/nat


I was hoping someone with more experience would help you on this issue.

It is better to write your own rules than messing with these files
(/var/lib/libvirt).

The default network mode of libvirt is a private network behind NAT.
The guests are provided
an IP address via DHCP. If you want a guest to be accessible from the
Internet then you will
have to configure static IP in your guest, ensure that you give an IP
in the 192.168.231.0/24
range.

Then you will have to set up DNAT iptable rules. AFAIK, to prevent
libvirt from overriding your
rules, you should be using "-I" (INSERT) instead of "-A" (APPEND). Put
your rules in the file
/etc/sysconfig/iptables

This is the theory. I *do not* use libvirt. I use VDE for my
networking with command line KVM.
I set mine up to pass through to the DHCP server in the outside world, and identify the VM by using a MAC address setting so DHCP can assign the IP. If for any reason I need to change IP addressing I can do it all in the dhcpd.conf file. I'm also using KVM from the command line, with startup scripts, and I define my own bridge and add the external NIC to that. 

Another of the many possible ways to address having servers in a VM.

--
Bill Davidsen <davidsen@xxxxxxx>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux