At first, I want to say: I know, it was done initially wrong and I want to avoid doing everything again from the scratch because of general downtime.
I am running libvirt/KVM on RHEL. I've got VM which runs with NAT networking profile (default one). I've set up port forwarding etc from host via sysconfig/iptables, everything is fine.
But if libvird daemon reloads for some internal reason, or receives SIGHUP – it reloads iptables configuration and adds rules from it's filtering profiles i.e. everything works as designed and documented (libvirt and firewall + libvirt nwfilter documentation) – there is no problem with SW, this is configuration issue.
But some rules introduce REJECTs before i need it and I can't connect to the machine via forwarded ports as seen below:
after running service iptables restart – everything will work as before.
Is there a way to force libvirt to change order of these two or disable these particular ones?
Maybe someone faced exactly the same issue and has answer ready.
Thanks
Best Answer
You can create your own NAT network instead which means libvirt won't add any firewall rules. See the Custom NAT-based Network on this libvirt Networking Handbook.