[CentOS] Host Machine and Iptables problem
Cbulist
cbulist at gmail.com
Tue May 1 06:45:50 UTC 2012
On 05/01/2012 01:27 AM, Barry Brimer wrote:
>> After that I stopped the Iptables on the Host machine and I lost
>> external connectivity on my VM's.
>> The only way that I found that VM machine works again is restarting the
>> Host Machine. (Start Iptables service again on the Host didn't work)
>>
>> I'm using CentOS 6.2: 2.6.32-220.7.1.el6.x86_64
>> The host's iptables is the default, I didn't add anything.
>> Why the Iptables is stopping the connectivity of VM when I stop it?
>
> If you don't have NAT rules in your firewall .. internal VM traffic
> that is not bridged won't get NATed and therefore can't reach the
> parent network.
Thanks Barry,
Yes, I thought the same but my confusion is that I don't see any rules
of PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file.
[root at VS01]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251
-j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
But when I check the command iptables -L -t nat I can see the NAT rules
[root at VS01]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq
ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq
ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
MASQUERADE tcp -- 192.168.100.0/24 !192.168.100.0/24 masq
ports: 1024-65535
MASQUERADE udp -- 192.168.100.0/24 !192.168.100.0/24 masq
ports: 1024-65535
MASQUERADE all -- 192.168.100.0/24 !192.168.100.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
am I missing something?
Thanks!
More information about the CentOS
mailing list