I am experimenting with a kvm virtual machine. At the moment I trying to configure iptables for the the host instance. In Xen terms I would call this Dom0 but I do not know the appropriate KVM term, if any.
The setup I have is a single NIC (eth0) host bridged (bridge0). I want iptables to allow all host generated traffic (! bridge0 I think) and to check all other traffic for brute force attempts coming in over the LAN.
I have the following rules in /etc/sysconfig/iptables: . . . -A GENERAL -m comment ! -i bridge0 -j ACCEPT . . . -A GENERAL -m comment -m state -i bridge0 --state NEW -j KNOCKD -A GENERAL -p tcp -m comment -m tcp -m multiport -m state -m recent -i bridge0 --state NEW --dports 20,21,22,23,110,143 --set --name IN_THROTTLE --rsource
and so forth. But when I reload the config file and do an iptables --list | grep bridge then I see nothing. I cannot discern what it is that I am doing wrong. Obviously there is something about bridge0 as an interface option that iptables does not like but it is not giving me any error message.
What am I doing wrong and what is the correct way to accomplish this?
On Tue, Jun 22, 2010 at 7:02 PM, James B. Byrne byrnejb@harte-lyne.ca wrote:
I am experimenting with a kvm virtual machine. At the moment I trying to configure iptables for the the host instance. In Xen terms I would call this Dom0 but I do not know the appropriate KVM term, if any.
There is no such Dom0 concept in KVM. Each guest VM is an independent of the others on the same host.
The setup I have is a single NIC (eth0) host bridged (bridge0). I want iptables to allow all host generated traffic (! bridge0 I think) and to check all other traffic for brute force attempts coming in over the LAN.
When you define a bridge and bind it to eth0, it becomes the "interface" for traffic to the host as well.
These are the rules I follow for my KVM guest VMs.
(1) With Bridge, you cannot assign an IP to the physical interface, in your case eth0. (2) The IP number of the "host" is assigned to the bridge instead. (3) KVM setups need "tap" (tunctl) interfaces (for ethernet) to be bound to the bridge interface e.g. tap0 (4) The VM guest sees a regular NIC (as emulated by the host VM environment e.g. rtl8139), which is bound to the "tap" interfaces on the host OS. The bridge being bound to the tap becomes the ethernet viaduct between the guest VM and the rest of the world. (5) Assign a static IP within the guest VMs eth0 and it becomes visible to the rest of the world (provided you put the correct routing table entries).
I have the following rules in /etc/sysconfig/iptables: . . . -A GENERAL -m comment ! -i bridge0 -j ACCEPT . . . -A GENERAL -m comment -m state -i bridge0 --state NEW -j KNOCKD -A GENERAL -p tcp -m comment -m tcp -m multiport -m state -m recent -i bridge0 --state NEW --dports 20,21,22,23,110,143 --set --name IN_THROTTLE --rsource
and so forth. But when I reload the config file and do an iptables --list | grep bridge then I see nothing. I cannot discern what it is that I am doing wrong. Obviously there is something about bridge0 as an interface option that iptables does not like but it is not giving me any error message.
What am I doing wrong and what is the correct way to accomplish this?
You may have to define the rules based on interfaces "bridge0" for your host and "tap?" for your guest VMs. Let us know if this does the trick for you.
-- Arun Khan