[CentOS] KVM host question about host firewall

Wed Jan 19 06:50:09 UTC 2011
Kwan Lowe <kwan.lowe at gmail.com>

On Wed, Jan 19, 2011 at 12:16 AM, Gordon Messmer <yinyang at eburg.com> wrote:
> On 01/18/2011 02:21 PM, Kwan Lowe wrote:
>>
>>     Yesterday I was troubleshooting an issue with a KVM host. I was
>> unable to access the DNS service on a KVM virtual machine. After
>> verifying that the vm allowed through the DNS ports (53 on UDP/TCP)
>> and still being unable to access, I was able to connect immediately
>> after allowing those ports on the KVM host.  Is there anyway around
>> this?  The reason is that I would like to allow only SSH access to the
>> host, but allow other services to the virtual machines.
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Virtualization/sect-Virtualization-Network_Configuration-Bridged_networking_with_libvirt.html
>
> If you have your networking set up as Red Hat advises, the host's
> firewall will not affect guests.  Those systems will be responsible for
> their own firewalling.


Ahh.. The forward rule did it.  It now blocks everything but SSH to
the kvm host but allows to the virtuals.
>From the doc:

# iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
# service iptables save
# service iptables restart

Thank you!