[ILUG] libvirtd NAT iptable rules on fedora
dbailey at hp.com
Wed Nov 17 11:26:21 GMT 2010
> -----Original Message-----
> From: Mark McLoughlin [mailto:markmc at redhat.com]
> Sent: 16 November 2010 20:19
> To: Bailey, Darragh
> Cc: ilug at linux.ie
> Subject: Re: [ILUG] libvirtd NAT iptable rules on fedora
> Hi Darragh,
> Yeah, the issue is that iptables has no mechanism by which libvirt can
> register its rules without overwriting user's custom rules.
Fedora 13 seems to have some hooks in place using system-config-firewall, that allows specifying of custom rule files to be included in the final iptables output. Avoids the need to go to a pure hand crafted iptables file, and still be able to use the system tools without risk of undoing the custom user rules. Took me a while to figure out how to use it properly, it's not well advertised, but I'm supprised that libvirtd doesn't take advantage of it. Perhaps it's just a question of time.
> Funky, I hadn't seen that before. The idea is to prevent the guest to
> use source ports < 1024 so that NAT-ed guests can't access remote NFS
> mounts configured with the "secure" option which authorizes clients
> based on their source port.
> See this patch and the bugzilla mentioned:
Ah, cheers, didn't not think of that. Still surprised that so many sources simply use these lines without any explaination as to their function.
More information about the ILUG