Iptables – How to prevent libvirt from adding iptables rules for guest NAT networks

iptableskvm-virtualizationlibvirt

Similar to this old request on BugZilla for Fedora 8, I'm hoping something has changed since then or someone knows another way.

I want to manage the iptables rules by hand—the one-size-fits-all automatic rules don't suit me at all. These rules seem to be added and removed when a network is started and destroyed. Is there a way of either preventing these rules being added at all or hooking a script into the network start that restores the default rules afterwards.

For now, I'm using a very crude method with cron, but I hope there is a better way:

  *  *  *  *  * root    iptables-restore < /etc/sysconfig/iptables

Best Answer

Well I've found an answer that suits me: I've gone back to school and learned to do it the old fashioned way. No need to use libvirt's fancy networking functions as I can just:

  • set up my own bridged network(s) (not attached to any physical network port)
  • use a DHCP server on the host and masquerade in iptables
  • edit the libvirt guest config files to use the bridge(s)
  • have complete flexibility in how I want to configure security with iptables
Related Topic