[CentOS-virt] iptables and kvm

Sat Jun 26 14:06:28 UTC 2010
Arun Khan <knura9 at gmail.com>

On Tue, Jun 22, 2010 at 7:02 PM, James B. Byrne <byrnejb at harte-lyne.ca> wrote:
> I am experimenting with a kvm virtual machine.  At the moment I
> trying to configure iptables for the the host instance.  In Xen
> terms I would call this Dom0 but I do not know the appropriate KVM
> term, if any.

There is no such Dom0 concept in KVM.   Each guest VM is an
independent of the others on the same host.

> The setup I have is a single NIC (eth0) host bridged (bridge0).  I
> want iptables to allow all host generated traffic (! bridge0 I
> think) and to check all other traffic for brute force attempts
> coming in over the LAN.

When you define a bridge and bind it to eth0, it becomes the
"interface" for traffic to the host as well.

These are the rules I follow for my KVM guest VMs.

(1) With Bridge, you cannot assign an IP to the physical interface, in
your case eth0.
(2) The IP number of the "host" is assigned to the bridge instead.
(3) KVM setups  need "tap" (tunctl) interfaces (for ethernet) to be bound to the
bridge interface e.g. tap0
(4) The VM  guest sees a regular NIC (as emulated by the host VM
environment e.g. rtl8139), which is bound to the "tap" interfaces on
the host OS.
The bridge being bound to the tap becomes the ethernet viaduct between
the guest VM and the rest of the world.
(5) Assign a static IP within the guest VMs eth0 and it becomes
visible to the rest of the world (provided you put the correct routing
table entries).

> I have the following rules in /etc/sysconfig/iptables:
> .  .  .
> -A GENERAL -m comment ! -i bridge0 -j ACCEPT
> .  .  .
> -A GENERAL -m comment -m state -i bridge0 --state NEW -j KNOCKD
> -A GENERAL -p tcp -m comment -m tcp -m multiport -m state -m recent
> -i bridge0 --state NEW --dports 20,21,22,23,110,143  --set --name
> IN_THROTTLE --rsource
> and so forth.  But when I reload the config file and do an iptables
> --list | grep bridge then I see nothing. I cannot discern what it is
> that I am doing wrong.  Obviously there is something about bridge0
> as an interface option that iptables does not like but it is not
> giving me any error message.
> What am I doing wrong and what is the correct way to accomplish this?

You may have to define the rules based on interfaces "bridge0" for
your host and "tap?" for your guest VMs.  Let us know if this does the
trick for you.

-- Arun Khan