Running CentOS 6 I have noticed that Libvirt will automatically configure IPtables once a VM is using the built in NAT , or "default" network. How do I modify the IPtable rules without breaking libvirt's ability to configure these rules?<div>
<br></div><div>This is the firewall settings on a fresh install with no VMs using virbr0...</div><div>--------------------------</div><div><div>Table: filter</div><div>Chain INPUT (policy ACCEPT)</div><div>num target prot opt source destination </div>
<div>1 ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> state RELATED,ESTABLISHED </div><div>2 ACCEPT icmp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div>3 ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div>4 ACCEPT tcp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> state NEW tcp dpt:22 </div>
<div>5 REJECT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-host-prohibited </div><div><br></div><div>Chain FORWARD (policy ACCEPT)</div>
<div>num target prot opt source destination </div><div>1 ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> PHYSDEV match --physdev-is-bridged </div>
<div>2 REJECT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-host-prohibited </div><div><br></div><div>Chain OUTPUT (policy ACCEPT)</div>
<div>num target prot opt source destination </div><div><br></div></div><div><br></div><div>And this is what I see after a reboot or once a VM uses the NAT</div><div>----------------------------</div>
<div><div>Table: mangle</div><div>Chain PREROUTING (policy ACCEPT)</div><div>num target prot opt source destination </div><div><br></div><div>Chain INPUT (policy ACCEPT)</div><div>num target prot opt source destination </div>
<div><br></div><div>Chain FORWARD (policy ACCEPT)</div><div>num target prot opt source destination </div><div><br></div><div>Chain OUTPUT (policy ACCEPT)</div><div>num target prot opt source destination </div>
<div><br></div><div>Chain POSTROUTING (policy ACCEPT)</div><div>num target prot opt source destination </div><div>1 CHECKSUM udp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:68 CHECKSUM fill </div>
<div><br></div><div>Table: nat</div><div>Chain PREROUTING (policy ACCEPT)</div><div>num target prot opt source destination </div><div><br></div><div>Chain POSTROUTING (policy ACCEPT)</div><div>num target prot opt source destination </div>
<div>1 MASQUERADE tcp -- <a href="http://192.168.122.0/24">192.168.122.0/24</a> !<a href="http://192.168.122.0/24">192.168.122.0/24</a> masq ports: 1024-65535 </div><div>2 MASQUERADE udp -- <a href="http://192.168.122.0/24">192.168.122.0/24</a> !<a href="http://192.168.122.0/24">192.168.122.0/24</a> masq ports: 1024-65535 </div>
<div>3 MASQUERADE all -- <a href="http://192.168.122.0/24">192.168.122.0/24</a> !<a href="http://192.168.122.0/24">192.168.122.0/24</a> </div><div><br></div><div>Chain OUTPUT (policy ACCEPT)</div><div>num target prot opt source destination </div>
<div><br></div><div>Table: filter</div><div>Chain INPUT (policy ACCEPT)</div><div>num target prot opt source destination </div><div>1 ACCEPT udp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:53 </div>
<div>2 ACCEPT tcp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:53 </div><div>3 ACCEPT udp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> udp dpt:67 </div>
<div>4 ACCEPT tcp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:67 </div><div>5 ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> state RELATED,ESTABLISHED </div>
<div>6 ACCEPT icmp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div>7 ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div>8 ACCEPT tcp -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> state NEW tcp dpt:22 </div><div>9 REJECT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-host-prohibited </div>
<div><br></div><div>Chain FORWARD (policy ACCEPT)</div><div>num target prot opt source destination </div><div>1 ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://192.168.122.0/24">192.168.122.0/24</a> state RELATED,ESTABLISHED </div>
<div>2 ACCEPT all -- <a href="http://192.168.122.0/24">192.168.122.0/24</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div><div>3 ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> </div>
<div>4 REJECT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable </div><div>5 REJECT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-port-unreachable </div>
<div>6 ACCEPT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> PHYSDEV match --physdev-is-bridged </div><div>7 REJECT all -- <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> reject-with icmp-host-prohibited </div>
<div><br></div><div>Chain OUTPUT (policy ACCEPT)</div><div>num target prot opt source destination </div><div><br></div></div><div><br></div><div>My concern is that if I begin to add custom rules that it will break this setup. If I run "service iptables save" after adding a rule, IPtables will then have saved this dynamic configuration. I assume it's dynamic because "/etc/sysconfig/iptables" does not reflect the second set of rules I pasted, but rather the first even when the second set is showing as active.</div>
<div><br></div><div>Thanks</div><div>- Trey</div>