Hmm I had a similar issue but came to a different conclusion.
I had done a libvirt + ufw lucid install and had some vms working --
traffic from vms to the outside world and replies would work, traffic
between vms would work etc. Basically things worked fine.
Then I wanted to map a host port to a vm port, that is, I wanted
connections from the host on port xyz to go to a VM on port 22 so that I
could SSH in to a VM from the Internet despite the libvirt nating on
virbr0. I followed the instructions from the ufw-framework man page
about Port Redirections, which call for editing the ufw-before-forward
rules.
Unfortunately, this wouldn't work and I discovered that the FORWARD rules were
something like:
ACCEPT all -- any virbr0 anywhere 192.168.122.0/24
state RELATED,ESTABLISHED
ACCEPT all -- virbr0 any 192.168.122.0/24 anywhere
ACCEPT all -- virbr0 virbr0 anywhere anywhere
REJECT all -- any virbr0 anywhere anywhere
reject-with icmp-port-unreachable
REJECT all -- virbr0 any anywhere anywhere
reject-with icmp-port-unreachable
ufw-before-logging-forward all -- any any anywhere
anywhere
ufw-before-forward all -- any any anywhere anywhere
With these "sanity checks" rules at the very top, to ensure that traffic for
192.168.122.0/24 doesn't come from anywhere else than virbr0. Obviously in my
NAT-ing case, this wouldn't be true since the traffic came from eth0 for the
host IP but was NATed to the vm's IP.
I moved the ufw-before-logging-forward and ufw-before-forward calls
manually before the virbr0 rules, and things worked!
It would seem to me that the issue is with libvirt generated rules which
are inserted before the ufw one. This might depend on boot order.
--
UFW blocks libvirt bridged traffic
https://bugs.launchpad.net/bugs/573461
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
