1

I've been poking around with KVM VM's on Centos 6.4 not having an internet connection on my VM's, I found something curious:

Upon booting the machine, iptables has rules in the FORWARD chain to allow traffic through to the VM's and all is well. When I run service iptables restart, however, it looks like it pulls the config rules from /etc/sysconfig/iptables (default settings which reject all forwarding) and thus, I've been relegated to either dropping the firewall completely on the physical host or rebooting to get the FORWARD rules added so it works again.

Edit:
Indeed, I could just modify the firewall rules myself to allow it, but isn't the focus of this question. I'm more focused on the following question #1:

My questions are:

  1. At what point (or by what mechanism) are these FORWARD rules added in?
  2. How can I recover the FORWARD rules without rebooting the machine?

Quite frankly, I'm not even sure where to start searching for this issue. I found this page that says to modify /etc/sysctl.conf with the following variables which allegedly make netfilter ignore traffic to bridged connections:

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

The problem with that is that my sysctl.conf is already set as such and netfilter still does its thing, happily blocking everything to the VM's.

Improve this question

1 Answer 1

Reset to default
3

KVM itself doesn't do anything but run the VM. iptables rules are put in place by libvirt, (or the qemu-ifup scripts if you are doing things hardcore and manual)

In any case, if you want to avoid the iptables complication, don't use VMs in a NAT config, and switch to using a bridge or OVS instead.

OVS config

Bridged networking

Improve this answer
2
  • 1
    Awesome, thank you. I ran service libvirtd restart and the FORWARD rules I was looking for appeared again. Commented Oct 26, 2013 at 0:22
  • Yup, you have to understand the stack - there's qemu-kvm at the bottom in the kernel, libvirt on top of that to manage the VMs and the way they operate, and whatever management/cloud solution (like oVirt or openstack) on top of that to pass user commands to libvirt, which will run VMs accordingly by orchestrating KVM Commented Oct 26, 2013 at 3:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.