Thanks for the answers i think open network type is not available yet on the version that comes with rhel7
On 3 Jan 2017, at 22:06, Laine Stump <la...@laine.org<mailto:la...@laine.org>> wrote: On 12/22/2016 09:48 AM, Omer Aldemir wrote: Hello, I am trying to understand how libvirt firewall rules are loaded as I have firewalld and iptables services are disabled. libvirt will add its iptables rules via firewalld if firewalld is enabled and running, otherwise it executes iptables commands directly. w Where is the configuration files for firewall and NAT rules for libvirt? There are no configuration files for the iptables rules that libvirt adds. The simple set of rules that is added is fixed for each type of libvirt network - NAT, routed, and isolated. Here is a description of exactly what is added for each of these types of network: https://libvirt.org/firewall.html (actually I just realized that I forgot to add information there about a new network forwarding type I recently added - "open", which doesn't add *any* iptables rules - this is intended for those who want to do their own iptables setup for libvirt networks, outside of libvirt.) How can I load default firewall rules if I mess things up To reload all the iptables rules for all active libvirt networks, just restart the libvirtd service. Also I have realized that followings is default ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED but If I am to forward a port for a real IP to internal guest machine I need ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state NEW,RELATED,ESTABLISHED (NEW state is required) and also of course a forwarding rule iptables -t nat -I PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.122.16:3389 Is there a place I can make this rules static with LibVirt (not playing with firewalld and/or iptables service for Centos 7) The best that can be done with current libvirt is to create a "hook" script similar to the one described here: https://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections (That worked the last time I tried it, but that was at least 3 years ago. The python script available as a link from that page is newer and promises to be easier to understand (maybe))
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
