[CentOS] Host Machine and Iptables problem

Tue May 1 13:02:48 UTC 2012
Cbulist <cbulist at gmail.com>

>> Thanks Barry,
>>
>> Yes, I thought the same but my confusion is that I don't see any rules
>> of PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file.
>>
>> [root at VS01]# cat /etc/sysconfig/iptables
>> # Firewall configuration written by system-config-firewall
>> # Manual customization of this file is not recommended.
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A INPUT -p icmp -j ACCEPT
>> -A INPUT -i lo -j ACCEPT
>> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251
>> -j ACCEPT
>> -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT
>> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>>
>>
>> But when I check the command iptables -L -t nat I can see the NAT rules
>>
>> [root at VS01]# iptables -L -t nat
>> Chain PREROUTING (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain POSTROUTING (policy ACCEPT)
>> target     prot opt source               destination
>> MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24    masq
>> ports: 1024-65535
>> MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24    masq
>> ports: 1024-65535
>> MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24
>> MASQUERADE  tcp  --  192.168.100.0/24    !192.168.100.0/24    masq
>> ports: 1024-65535
>> MASQUERADE  udp  --  192.168.100.0/24    !192.168.100.0/24    masq
>> ports: 1024-65535
>> MASQUERADE  all  --  192.168.100.0/24    !192.168.100.0/24
>>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> am I missing something?
>>
> It is possible that VM hypervisor (you failed to say which one) is
> adding iptables rules at runtime, only while VM guest is running. When
> you stop iptables, those rules are purged, and after the restart of
> iptables service it does not have necessary rules.
>
> Compare /etc/sysconfig/iptables while all works and after you stop iptables.
> You can also try restarting VM guests and even VM hypervisor.
>
>
Hi Ljubomir,

Thanks for your help.
The hypervisor is KVM. The iptables before and after stop iptables are 
exactly the same.
Restarting the VM after run: service iptables start didn't works. The 
only way is restarting the host machine...any idea?

Thanks in advance!