[CentOS] iptables drop on virtual host

Fri Apr 27 22:41:03 UTC 2012
Bob Hoffman <bob at bobhoffman.com>

On 4/27/2012 5:05 PM, Bob Hoffman wrote:
> dropping IPs by host machine, protecting the vms.
> would something like this work
>
> -A PREROUTING -s 66.77.65.128/26 -j DROP
>
>
> or would my server die upon testing it...lol
> _______________________________________________
>
okay, after about 400 atempts and some hour or so of reading, I find 
that red hat auto disables the ability to use the host iptables rules to 
protect the virtual machines.

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

not sure which would be turned on, bottom two or just the middle

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1

There is a lot of talk about making this change but no real talk of any security or performance issue.
I imagine with multiple bridges this could be an issue, but my machine is just a host with one bridge going to
all the VMs...

but is it safe to change this? It seems like until rhel 6 it was set on by default.

anyone got a clue on dangers or issues of this?