[fedora-virt] is libvirtd breaking iptables in Fedora 12?

Daniel Sanabria Mon, 25 Jan 2010 11:58:43 -0800

Hi All,

I noticed that if I turn on the libvirtd service via chkconfig it ends up
breaking my iptables by adding duplicated rules.


For you to have an idea here's the output of iptables-save -c after a reboot
with libvirtd off:

# Generated by iptables-save v1.4.5 on Mon Jan 25 19:34:39 2010
*nat
:PREROUTING ACCEPT [21:7584]
:POSTROUTING ACCEPT [21:1673]
:OUTPUT ACCEPT [21:1673]
[0:0] -A PREROUTING -d 192.168.0.6/32 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.122.118
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE

COMMIT
# Completed on Mon Jan 25 19:34:39 2010
# Generated by iptables-save v1.4.5 on Mon Jan 25 19:34:39 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [105:11066]
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT
[41:23909] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p icmp -j ACCEPT
[2:120] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 11201 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --dport 11201 -j ACCEPT
[36:6884] -A INPUT -j REJECT --reject-with icmp-host-prohibited
[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state
RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
[0:0] -A FORWARD -i wlan0 -o virbr0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jan 25 19:34:39 2010

and this is the output of the same command after a reboot with libvirtd on:

# Generated by iptables-save v1.4.5 on Mon Jan 25 19:46:03 2010
*nat
:PREROUTING ACCEPT [6:965]
:POSTROUTING ACCEPT [50:3703]
:OUTPUT ACCEPT [52:4038]
[0:0] -A PREROUTING -d 192.168.0.6/32 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.122.118
[1:295] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j
MASQUERADE
[1:40] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j
MASQUERADE
COMMIT
# Completed on Mon Jan 25 19:46:03 2010
# Generated by iptables-save v1.4.5 on Mon Jan 25 19:46:03 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [338:37036]
[1:74] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[1:328] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT
[190:99034] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p icmp -j ACCEPT
[2:120] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 11201 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --dport 11201 -j ACCEPT
[78:13517] -A INPUT -j REJECT --reject-with icmp-host-prohibited
[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state
RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state
RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
[0:0] -A FORWARD -i wlan0 -o virbr0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jan 25 19:46:03 2010

As you can see when the libvirtd daemon is up I end up with a number of
duplicated entries ...

this is then content of /etc/sysconfig/iptables in both cases:

# Generated by iptables-save v1.4.5 on Thu Jan 21 19:54:46 2010
*nat
:PREROUTING ACCEPT [24306:3491836]
:POSTROUTING ACCEPT [17614:1213585]
:OUTPUT ACCEPT [16779:1092505]
-A PREROUTING -d 192.168.0.6/32 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.122.118
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Jan 21 19:54:46 2010
# Generated by iptables-save v1.4.5 on Thu Jan 21 19:54:46 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [544711:383016639]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i wlan0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 11201 -j ACCEPT
-A INPUT -p udp -m udp --dport 11201 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -i wlan0 -o virbr0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jan 21 19:54:46 2010

Has anyone experienced this? Is there another file that libvirtd uses to
manipulate iptables?

Thanks in advance,

Daniel

_______________________________________________
virt mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/virt

[fedora-virt] is libvirtd breaking iptables in Fedora 12?

Reply via email to