From: Giovanni Biscuolo <giovanni@biscuolo.net>
To: netfilter@vger.kernel.org
Subject: Re: connection refused from DNATted host (libvirt guests!)
Date: Tue, 28 May 2024 12:00:48 +0200 [thread overview]
Message-ID: <87sey2uugf.fsf@xelera.eu> (raw)
In-Reply-To: <875xuzw77l.fsf@xelera.eu>
[-- Attachment #1: Type: text/plain, Size: 2088 bytes --]
Hello,
I'm not subscribed to this list, please keep me in the From: when
replying, thanks!
I've found a solution, I'm porting here hoping it could be useful to
others.
I've also change a little bit the subject to include the important
missing information about libvirt guests.
Giovanni Biscuolo <giovanni@biscuolo.net> writes:
[...]
> I'm using libvirt to define and run a guest (IPv4 192.168.133.9) inside
> my host
OK now I've understand that:
1. libvirt (still?!?) uses iptables and not nftables to define firewall
rules (see [1])
2. iptables defined filters are _not_ visible via "nft" commands, at
least not via 'nft list ruleset' I was using to look at rules. I was
actually expecting a uniform interface to netfilter, but I see that even
today we still have to manage netfilter via (at least?) two different
interfaces.
3. when defining a network bridge with a forward "mode='nat'" parameter
(the default) libvirt configures firewalling rules (via iptables) so
that «inbound connections from other networks are all prohibited; all
connections between guests on the same network, and to/from the host to
the guests, are unrestricted and not NATed.» (see [2]
The solution I've adopted is to (re)define the libvirt created network
bridge (swws-bridge in my case) using forward "mode='open'", so that «no
firewall rules will be added for the network» (see [2]) by libvirt and I
can manage all firewall rules via nftables alone. Once reconfigured
swws-bridge I was able to remotely connect to my DNATted (and forwarded)
ports on my guest machine.
Another solution could have been to configure some libvirt nwfilters via
XML (see [3])... but no :-D
[...]
Happy hacking.
[1] https://libvirt.org/firewall.html#firewalld-and-the-virtual-network-driver
so libvirt can use firewalld backends but not nftables directly :-(
[2] https://libvirt.org/formatnetwork.html#connectivity
[3] https://libvirt.org/formatnwfilter.html
--
Giovanni Biscuolo
«Si può sperare
Che il mondo torni a quote più normali».
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 865 bytes --]
prev parent reply other threads:[~2024-05-28 10:00 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-27 16:27 connection refused from DNATted host Giovanni Biscuolo
2024-05-28 10:00 ` Giovanni Biscuolo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sey2uugf.fsf@xelera.eu \
--to=giovanni@biscuolo.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.