First I describe my firewall setup: Default firewall content ( /etc/sysconfig/iptables ) ---------------------------------- # Generated by ovirt-engine installer #filtering rules *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [52:9697] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 81 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 444 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 892 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 892 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 875 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 875 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 662 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 662 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 32803 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 32769 -j ACCEPT #drop all rule -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT /etc/libvirt/qemu/networks/honly0200.xml ------------------------------------------------------- <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh net-edit honly0200 or other application using the libvirt API. --> <network> <name>honly0200</name> <uuid>09697e5f-e834-8f26-c55e-5866cb1abafc</uuid> <forward mode='nat'/> <bridge name='honly0200' stp='on' delay='0' /> <mac address='52:54:00:41:16:38'/> <ip address='192.168.2.1' netmask='255.255.255.248'> </ip> </network> ----------------------------------------------- So if I run: service iptables restart then: iptables -L -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 504 153K RH-Firewall-1-INPUT all -- any any anywhere anywhere Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 478 packets, 159K bytes) num pkts bytes target prot opt in out source destination Chain RH-Firewall-1-INPUT (2 references) num pkts bytes target prot opt in out source destination 1 374 132K ACCEPT all -- lo any anywhere anywhere 2 0 0 ACCEPT icmp -- any any anywhere anywhere icmp any 3 120 19824 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 4 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 5 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:rfb 6 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:5901 7 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:81 8 8 480 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:snpp 9 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:sunrpc 10 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:sunrpc 11 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:892 12 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:892 13 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:rquotad 14 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:rquotad 15 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:pftp 16 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:pftp 17 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:nfs 18 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:32803 19 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:filenet-rpc 20 2 80 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited And I also get: iptables -L -v --line-numbers -t nat Chain PREROUTING (policy ACCEPT 3021 packets, 300K bytes) num pkts bytes target prot opt in out source destination 1 0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:50202 to:192.168.2.2:22 2 0 0 DNAT udp -- eth0 any anywhere anywhere udp dpt:50202 to:192.168.2.2:22 Chain INPUT (policy ACCEPT 1296 packets, 78884 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2833 packets, 442K bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2833 packets, 442K bytes) num pkts bytes target prot opt in out source destination 1 0 0 MASQUERADE tcp -- any any 192.168.2.0/29 !192.168.2.0/29 masq ports: 1024-65535 2 0 0 MASQUERADE udp -- any any 192.168.2.0/29 !192.168.2.0/29 masq ports: 1024-65535 3 0 0 MASQUERADE all -- any any 192.168.2.0/29 !192.168.2.0/29 So... as I want that honly0200 to have access to the Internet via NAT I restart libvirtd service as it's suggested here: http://wiki.libvirt.org/page/Guest_can_reach_host,_but_can%27t_reach_outside.... service libvirtd restart So if I run: service iptables restart after libvirtd restarted then: iptables -L -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT udp -- honly0200 any anywhere anywhere udp dpt:domain 2 0 0 ACCEPT tcp -- honly0200 any anywhere anywhere tcp dpt:domain 3 0 0 ACCEPT udp -- honly0200 any anywhere anywhere udp dpt:bootps 4 0 0 ACCEPT tcp -- honly0200 any anywhere anywhere tcp dpt:bootps 5 29974 10M RH-Firewall-1-INPUT all -- any any anywhere anywhere Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- any honly0200 anywhere 192.168.2.0/29 state RELATED,ESTABLISHED 2 0 0 ACCEPT all -- honly0200 any 192.168.2.0/29 anywhere 3 0 0 ACCEPT all -- honly0200 honly0200 anywhere anywhere 4 0 0 REJECT all -- any honly0200 anywhere anywhere reject-with icmp-port-unreachable 5 0 0 REJECT all -- honly0200 any anywhere anywhere reject-with icmp-port-unreachable 6 0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 22701 packets, 7628K bytes) num pkts bytes target prot opt in out source destination Chain RH-Firewall-1-INPUT (2 references) num pkts bytes target prot opt in out source destination 1 25844 9124K ACCEPT all -- lo any anywhere anywhere 2 0 0 ACCEPT icmp -- any any anywhere anywhere icmp any 3 3364 921K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 4 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 5 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:rfb 6 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:5901 7 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:81 8 458 27480 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:snpp 9 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:sunrpc 10 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:sunrpc 11 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:892 12 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:892 13 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:rquotad 14 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:rquotad 15 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:pftp 16 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:pftp 17 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:nfs 18 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:32803 19 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:filenet-rpc 20 308 14264 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited And I also get: iptables -L -v --line-numbers -t nat Chain PREROUTING (policy ACCEPT 1116 packets, 118K bytes) num pkts bytes target prot opt in out source destination 1 0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:50202 to:192.168.2.2:22 2 0 0 DNAT udp -- eth0 any anywhere anywhere udp dpt:50202 to:192.168.2.2:22 Chain INPUT (policy ACCEPT 399 packets, 23940 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 637 packets, 56768 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 637 packets, 56768 bytes) num pkts bytes target prot opt in out source destination 1 0 0 MASQUERADE tcp -- any any 192.168.2.0/29 !192.168.2.0/29 masq ports: 1024-65535 2 0 0 MASQUERADE udp -- any any 192.168.2.0/29 !192.168.2.0/29 masq ports: 1024-65535 3 0 0 MASQUERADE all -- any any 192.168.2.0/29 !192.168.2.0/29 So... That's it. The last setup is the one I want it to persist. Well, actually, I also need that an script called from: /etc/rc.d/rc.local later modifies firewall rules too. But let's focus on restarting iptables and libvirtd services. Now I'm going to reboot and you're going to see that its firewall rules are not the expected ones: iptables -L -v --line-numbers Chain INPUT (policy ACCEPT 192K packets, 62M bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT udp -- honly0200 any anywhere anywhere udp dpt:domain 2 0 0 ACCEPT tcp -- honly0200 any anywhere anywhere tcp dpt:domain 3 0 0 ACCEPT udp -- honly0200 any anywhere anywhere udp dpt:bootps 4 0 0 ACCEPT tcp -- honly0200 any anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- any honly0200 anywhere 192.168.2.0/29 state RELATED,ESTABLISHED 2 0 0 ACCEPT all -- honly0200 any 192.168.2.0/29 anywhere 3 0 0 ACCEPT all -- honly0200 honly0200 anywhere anywhere 4 0 0 REJECT all -- any honly0200 anywhere anywhere reject-with icmp-port-unreachable 5 0 0 REJECT all -- honly0200 any anywhere anywhere reject-with icmp-port-unreachable 6 0 0 ACCEPT tcp -- eth0 any anywhere 192.168.2.2 tcp dpt:ssh 7 0 0 ACCEPT udp -- eth0 any anywhere 192.168.2.2 udp dpt:ssh Chain OUTPUT (policy ACCEPT 191K packets, 61M bytes) num pkts bytes target prot opt in out source destinatio and also: iptables -L -v --line-numbers -t nat Chain PREROUTING (policy ACCEPT 8683 packets, 933K bytes) num pkts bytes target prot opt in out source destination 1 0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:50202 to:192.168.2.2:22 2 0 0 DNAT udp -- eth0 any anywhere anywhere udp dpt:50202 to:192.168.2.2:22 Chain INPUT (policy ACCEPT 2687 packets, 165K bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 7602 packets, 936K bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 7602 packets, 936K bytes) num pkts bytes target prot opt in out source destination 1 0 0 MASQUERADE tcp -- any any 192.168.2.0/29 !192.168.2.0/29 masq ports: 1024-65535 2 0 0 MASQUERADE udp -- any any 192.168.2.0/29 !192.168.2.0/29 masq ports: 1024-65535 3 0 0 MASQUERADE all -- any any 192.168.2.0/29 !192.168.2.0/29 I suppose I will fix this issue by running iptables and libvirtd service restarts at rc.d/rc.local but... I would like to understand a little bit better what's going under the hood so that I don't have to implement workarounds. So... any other service that might modify iptables rules? Maybe anyone oVirt specific? Thank you. -- -- Adrián Gibanel I.T. Manager +34 675 683 301 www.btactic.com Ens podeu seguir a/Nos podeis seguir en: i Abans d´imprimir aquest missatge, pensa en el medi ambient. El medi ambient és cosa de tothom. / Antes de imprimir el mensaje piensa en el medio ambiente. El medio ambiente es cosa de todos. AVIS: El contingut d'aquest missatge i els seus annexos és confidencial. Si no en sou el destinatari, us fem saber que està prohibit utilitzar-lo, divulgar-lo i/o copiar-lo sense tenir l'autorització corresponent. Si heu rebut aquest missatge per error, us agrairem que ho feu saber immediatament al remitent i que procediu a destruir el missatge . AVISO: El contenido de este mensaje y de sus anexos es confidencial. Si no es el destinatario, les hacemos saber que está prohibido utilizarlo, divulgarlo y/o copiarlo sin tener la autorización correspondiente. Si han recibido este mensaje por error, les agradeceríamos que lo hagan saber inmediatamente al remitente y que procedan a destruir el mensaje .