Multiple networks with firewalld and libvirt/KVM

centos7firewalldkvm-virtualizationlibvirtnetworking

In the past i had a hypervisor set up with libvirt/KVM and IPtables in order to have VMs reachable through NAT on IPv4 (forwarding and masquerading don in iptables) and directly on IPv6 (routed network configured in libvirt), according to this tutorial collection (Example 1).

Since i wanted to switch to CentOS 7, which comes now with firewalld as default, i thought it would be reasonable to use firewalld instead of iptables.

Can i use firewalld as a "drop in replacement" for this purpose or are there limitations or problems with libvirt?

Best Answer

When libvirtd starts up it will automatically probe to see if firewalld is available. If it is running, then libvirtd will use firewalld DBus APIs, instead of running iptables directly. So this from POV everything that libvirt does wrt firewall rules should continue to "just work" if you have firewalld enabled.

If you are adding custom firewall rules yourself, separately from those libvirtd adds, then you can use the firewall-cmd --direct option which essentially allows a straight pass-through mode - almost every option you would use with the iptables command is valid for firewall-cmd --direct

Related Solutions

Ubuntu – Any non-custom way to manage iptables with fail2ban and libvirt+kvm

This is really old but for people who search and find this, fail2ban and like a lot of other utilities are very configurable. You can change your fail2ban action files like iptables-multiport.conf to call iptables and create chains in the way you want it.

eg.

actionstart = iptables -N fail2ban-<name>
          iptables -A fail2ban-<name> -j RETURN
          iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

This creates a rule smack bang in your INPUT chain which is kind of ugly and unmanageable, but you can quite easily put it in one of your own chains in your control. You can create an INPUT filter which then has chains to other filters for fail2ban to keep all it's stuff out of your INPUT chain as below.

actionstart = iptables -N fail2ban-<name>
          iptables -A fail2ban-<name> -j RETURN
          iptables -I INPUT-FAIL2BAN -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

The same goes for libvirt or Xen where there are scripts that are called to do the work. Xen for instance uses /etc/xen/scripts which you'll find the network-bridge and others where iptables is called. Design it as you want.and worst case, change the code. I for one use fail2ban to modify a central firewall so all servers are protected which means iptables on the local machine doesn't show the rules anyway.

Ubuntu – apt-get update can not connect

Since you can ping sites from the VM, routing can't be the problem - at least I don't see how it could. Could you maybe post the iptables for the filter-table? Maybe there's a problem with forwarding outgoing new connections over specific ports.

Just to make sure I understood correctly what topology you are using: you have a physical Ubuntu 10.04 server with two IPs, on that server you run a VM which has one interface that is bridged to one of the interfaces of the server? I think I got something wrong here, doesn't quite match up your description...

On another note, is it intentional INPUT and OUTPUT have their policies set to ACCEPT and additionally a bunch of rules that also jump to ACCEPT? I don't see how that could affect your problem, I'm just curious :P

Best Answer

Related Solutions

Ubuntu – Any non-custom way to manage iptables with fail2ban and libvirt+kvm

Ubuntu – apt-get update can not connect

Related Topic