[ILUG] libvirtd NAT iptable rules on fedora
Bailey, Darragh
dbailey at hp.com
Wed Nov 17 11:26:21 GMT 2010
> -----Original Message-----
> From: Mark McLoughlin [mailto:markmc at redhat.com]
> Sent: 16 November 2010 20:19
> To: Bailey, Darragh
> Cc: ilug at linux.ie
> Subject: Re: [ILUG] libvirtd NAT iptable rules on fedora
>
> Hi Darragh,
>
<snip>
> Yeah, the issue is that iptables has no mechanism by which libvirt can
> register its rules without overwriting user's custom rules.
Fedora 13 seems to have some hooks in place using system-config-firewall, that allows specifying of custom rule files to be included in the final iptables output. Avoids the need to go to a pure hand crafted iptables file, and still be able to use the system tools without risk of undoing the custom user rules. Took me a while to figure out how to use it properly, it's not well advertised, but I'm supprised that libvirtd doesn't take advantage of it. Perhaps it's just a question of time.
<snip>
> Funky, I hadn't seen that before. The idea is to prevent the guest to
> use source ports < 1024 so that NAT-ed guests can't access remote NFS
> mounts configured with the "secure" option which authorizes clients
> based on their source port.
>
> See this patch and the bugzilla mentioned:
>
> https://www.redhat.com/archives/libvir-list/2010-July/msg00219.html
>
> Cheers,
> Mark.
Ah, cheers, didn't not think of that. Still surprised that so many sources simply use these lines without any explaination as to their function.
--
Regards,
Darragh Bailey
More information about the ILUG
mailing list