Re: iptables and kvm
On Friday, January 25, 2013 11:17, Tom H tomh0...@gmail.com said: I am running Debian Wheezy, and have installed kvm. When I list my iptables rules there are a set of default rules defined, and forwarding is set up for my virtual network. For the life of me I can not figure out where these rules are defined, and I would like to make some changes that I want to be permanent. Would anyone mind enlightening me as where I can find the source of those rules? grep -RIil iptables /etc/* returns nothing. To the OP: AFAIK, if you set up a nat-based VM, libvirt/qemu'll set up the rules that you're seeing. If they're in a grepable form, there'll probably be under /usr. Hi Tom, I think you are correct as far as where the rules came from, but I don't think they are going to be grepable. The source contains iptables.c, and a few other similarly named files. I haven't done C in a while, but I'll try to make sure that is where my rules came from. There are also changelog entries that appear to back this up as well. I'll do a bit more digging, but I think I have my answer. Thanks! Craig Sent - Gtek Web Mail -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1359379792.447916...@webmail.gtek.biz
Re: iptables and kvm
On Mon, Jan 28, 2013 at 8:29 AM, cr...@gtek.biz wrote: On Friday, January 25, 2013 11:17, Tom H tomh0...@gmail.com said: I am running Debian Wheezy, and have installed kvm. When I list my iptables rules there are a set of default rules defined, and forwarding is set up for my virtual network. For the life of me I can not figure out where these rules are defined, and I would like to make some changes that I want to be permanent. Would anyone mind enlightening me as where I can find the source of those rules? grep -RIil iptables /etc/* returns nothing. To the OP: AFAIK, if you set up a nat-based VM, libvirt/qemu'll set up the rules that you're seeing. If they're in a grepable form, there'll probably be under /usr. I think you are correct as far as where the rules came from, but I don't think they are going to be grepable. The source contains iptables.c, and a few other similarly named files. I haven't done C in a while, but I'll try to make sure that is where my rules came from. There are also changelog entries that appear to back this up as well. I'll do a bit more digging, but I think I have my answer. Thanks! You're welcome. I've found a confirmation of my AFAIK: https://bugzilla.redhat.com/show_bug.cgi?id=433484#c1 begin First, it is already possible to avoid the iptables rules - simply do not request a NAT based virtual network. The 'default' virtual network is intentionally NAT based. You are free to remove this default one which doesn't provide NAT. Second, if there are specific flaws you can enumerate with the current iptables rules then file bugs about them. They are intended to allow only traffic from guests attached to the network's associated bridge defautl (eg 'virbr0') its configured ip address range. So if this isn't working in some scenarios then we need to know what those scenarios are so we can fix them. /end -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=szov+tusjhryqzxhez6d8b7fje_ul+z2am5do72ju+...@mail.gmail.com
Re: iptables and kvm
On Fri, Jan 25, 2013 at 12:55:13PM +0700, Sthu Deus wrote: Good time of the day, Craig. You wrote: I am running Debian Wheezy, and have installed kvm. When I list my iptables rules there are a set of default rules defined, and forwarding is set up for my virtual network. For the life of me I can not figure out where these rules are defined, and I would like to make some changes that I want to be permanent. Would anyone mind enlightening me as where I can find the source of those rules? grep -RIil iptables /etc/* returns nothing. If You want to set Your own rules, You can write it to a file where You want to hold it, then You can put a script w/ execution bit set in /etc/network/if-pre-up.d that will read those files. As soon as the interface comes up, Your rules will come up too (in case it is correct - otherwise the defaults will be used). I haven't had very good luck putting iptables rules in /etc/network/if-pre-up.d while using network-manager. Last I read, there's a bug/feature in network-manager that ignores if-pre-up.d. Instead, I have to use the iptables-persistent package. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130125123739.ga26...@aurora.owens.net
Re: iptables and kvm
And good time of day to you, Sthu. On Thursday, January 24, 2013 23:55, Sthu Deus sthu.d...@gmail.com said: Good time of the day, Craig. If You want to set Your own rules, You can write it to a file where You want to hold it, then You can put a script w/ execution bit set in /etc/network/if-pre-up.d that will read those files. As soon as the interface comes up, Your rules will come up too (in case it is correct - otherwise the defaults will be used). Sthu. I'm afraid I wasn't clear in what I was asking for. I am fairly familiar with iptables and how to enable my own rules at start up. I am just curious to know where the existing rules came from. Something I installed created a set of rules for the virtual network, and I would like to know what caused that and what causes them to be enabled. $ sudo iptables -L -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 2ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 3ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 4ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/0 192.168.221.0/24 state RELATED,ESTABLISHED 2ACCEPT all -- 192.168.221.0/24 0.0.0.0/0 3ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 5REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) num target prot opt source destination Thanks, Craig Sent - Gtek Web Mail -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1359120356.51796...@webmail.gtek.biz
Re: iptables and kvm
On Fri, Jan 25, 2013 at 7:37 AM, Rob Owens row...@ptd.net wrote: On Fri, Jan 25, 2013 at 12:55:13PM +0700, Sthu Deus wrote: I am running Debian Wheezy, and have installed kvm. When I list my iptables rules there are a set of default rules defined, and forwarding is set up for my virtual network. For the life of me I can not figure out where these rules are defined, and I would like to make some changes that I want to be permanent. Would anyone mind enlightening me as where I can find the source of those rules? grep -RIil iptables /etc/* returns nothing. If You want to set Your own rules, You can write it to a file where You want to hold it, then You can put a script w/ execution bit set in /etc/network/if-pre-up.d that will read those files. As soon as the interface comes up, Your rules will come up too (in case it is correct - otherwise the defaults will be used). I haven't had very good luck putting iptables rules in /etc/network/if-pre-up.d while using network-manager. Last I read, there's a bug/feature in network-manager that ignores if-pre-up.d. Instead, I have to use the iptables-persistent package. Out of the box, the NM dispatcher script runs scripts in if-up.d and not in if-pre-up.d. To the OP: AFAIK, if you set up a nat-based VM, libvirt/qemu'll set up the rules that you're seeing. If they're in a grepable form, there'll probably be under /usr. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=sytwsvlni8-vta3hd9xsu3mnacb1xarxydeqexatby...@mail.gmail.com
Re: iptables and kvm
Good time of the day, Craig. Please, do not write to me directly, but through the list. You wrote: I'm afraid I wasn't clear in what I was asking for. I am fairly familiar with iptables and how to enable my own rules at start up. I am just curious to know where the existing rules came from. Something Oh, I got it now. But I'm sorry, I do not know the answer on Your question. :o) If I had a newly installed system - I would search for the answer in /etc/network dir. OR iptables package files. I installed created a set of rules for the virtual network, and I would like to know what caused that and what causes them to be enabled. $ sudo iptables -L -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 2ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 3ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 4ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/0 192.168.221.0/24 state RELATED,ESTABLISHED 2ACCEPT all -- 192.168.221.0/24 0.0.0.0/0 3ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 5REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) num target prot opt source destination Wow. Interesting. It seems that the software that changes Your iptables rules awaits that the machine will serve domain and boot requests. May You will check who listens (processes and hence exetubales/packages if any) on those ports? Sthu. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51038bea.652e700a.1b25.4...@mx.google.com
iptables and kvm
I am running Debian Wheezy, and have installed kvm. When I list my iptables rules there are a set of default rules defined, and forwarding is set up for my virtual network. For the life of me I can not figure out where these rules are defined, and I would like to make some changes that I want to be permanent. Would anyone mind enlightening me as where I can find the source of those rules? grep -RIil iptables /etc/* returns nothing. Thanks, Craig Sent - Gtek Web Mail -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1359054666.32117...@webmail.gtek.biz
Re: iptables and kvm
Good time of the day, Craig. You wrote: I am running Debian Wheezy, and have installed kvm. When I list my iptables rules there are a set of default rules defined, and forwarding is set up for my virtual network. For the life of me I can not figure out where these rules are defined, and I would like to make some changes that I want to be permanent. Would anyone mind enlightening me as where I can find the source of those rules? grep -RIil iptables /etc/* returns nothing. If You want to set Your own rules, You can write it to a file where You want to hold it, then You can put a script w/ execution bit set in /etc/network/if-pre-up.d that will read those files. As soon as the interface comes up, Your rules will come up too (in case it is correct - otherwise the defaults will be used). Sthu. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51021e49.e684980a.513c.0...@mx.google.com
