[CentOS] Host Machine and Iptables problem

Tue May 1 13:46:10 UTC 2012
Tait Clarridge <tait at taiter.com>


On Tue, 2012-05-01 at 02:08 -0500, Cbulist wrote:
> On 05/01/2012 02:03 AM, Barry Brimer wrote:
> >> Yes, I thought the same but my confusion is that I don't see any rules of
> >> PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file.
> >>
> >> [root at VS01]# cat /etc/sysconfig/iptables
> >> # Firewall configuration written by system-config-firewall
> >> # Manual customization of this file is not recommended.
> >> *filter
> >> :INPUT ACCEPT [0:0]
> >> :FORWARD ACCEPT [0:0]
> >> :OUTPUT ACCEPT [0:0]
> >> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >> -A INPUT -p icmp -j ACCEPT
> >> -A INPUT -i lo -j ACCEPT
> >> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> >> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
> >> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j
> >> ACCEPT
> >> -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT
> >> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
> >> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> >> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> >> COMMIT
> >>
> >>
> >> But when I check the command iptables -L -t nat I can see the NAT rules
> >>
> >> [root at VS01]# iptables -L -t nat
> >> Chain PREROUTING (policy ACCEPT)
> >> target     prot opt source               destination
> >>
> >> Chain POSTROUTING (policy ACCEPT)
> >> target     prot opt source               destination
> >> MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24    masq ports:
> >> 1024-65535
> >> MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24    masq ports:
> >> 1024-65535
> >> MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24
> >> MASQUERADE  tcp  --  192.168.100.0/24    !192.168.100.0/24    masq ports:
> >> 1024-65535
> >> MASQUERADE  udp  --  192.168.100.0/24    !192.168.100.0/24    masq ports:
> >> 1024-65535
> >> MASQUERADE  all  --  192.168.100.0/24    !192.168.100.0/24
> >>
> >> Chain OUTPUT (policy ACCEPT)
> >> target     prot opt source               destination
> >>
> >> am I missing something?
> > Maybe .. do you have IPv4 forwarding enabled?  What is the output of
> > "cat /proc/sys/net/ipv4/ip_forward" ?? If it is 0, then edit
> > /etc/sysctl.conf .. find net.ipv4.ip_forward .. set it to 1 and then run
> > (as root) sysctl -p
> >
> In the Host machine the ip_forward is 1

If you restart libvirtd it should add in the IPTABLES rules you are
missing.