Created
October 19, 2020 19:23
-
-
Save michalskalski/3bf99440406a3b9b3afbb71249fd1ae8 to your computer and use it in GitHub Desktop.
firewall-cmd --reload impact on libvirt rules , NAT stop to work vm can't access external resources.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RHEL8: firewall-cmd --reload impact on libvirt rules , NAT stop to work vm can't access external resources. | |
| 'sudo systemctl restart libvirtd'restores rules | |
| Rule list: sudo nft list ruleset | |
| --- libvirt 2020-10-19 21:06:30.434593275 +0200 | |
| +++ reload 2020-10-19 21:08:14.026787785 +0200 | |
| @@ -1,80 +1,27 @@ | |
| table ip filter { | |
| chain INPUT { | |
| type filter hook input priority filter; policy accept; | |
| - counter packets 12 bytes 844 jump LIBVIRT_INP | |
| } | |
| chain FORWARD { | |
| type filter hook forward priority filter; policy accept; | |
| - counter packets 33 bytes 2572 jump LIBVIRT_FWX | |
| - counter packets 33 bytes 2572 jump LIBVIRT_FWI | |
| - counter packets 17 bytes 1266 jump LIBVIRT_FWO | |
| } | |
| chain OUTPUT { | |
| type filter hook output priority filter; policy accept; | |
| - counter packets 7 bytes 656 jump LIBVIRT_OUT | |
| - } | |
| - | |
| - chain LIBVIRT_INP { | |
| - iifname "virbr0" meta l4proto udp udp dport 53 counter packets 0 bytes 0 accept | |
| - iifname "virbr0" meta l4proto tcp tcp dport 53 counter packets 0 bytes 0 accept | |
| - iifname "virbr0" meta l4proto udp udp dport 67 counter packets 0 bytes 0 accept | |
| - iifname "virbr0" meta l4proto tcp tcp dport 67 counter packets 0 bytes 0 accept | |
| - } | |
| - | |
| - chain LIBVIRT_OUT { | |
| - oifname "virbr0" meta l4proto udp udp dport 53 counter packets 0 bytes 0 accept | |
| - oifname "virbr0" meta l4proto tcp tcp dport 53 counter packets 0 bytes 0 accept | |
| - oifname "virbr0" meta l4proto udp udp dport 68 counter packets 0 bytes 0 accept | |
| - oifname "virbr0" meta l4proto tcp tcp dport 68 counter packets 0 bytes 0 accept | |
| - } | |
| - | |
| - chain LIBVIRT_FWO { | |
| - iifname "virbr0" ip saddr 192.168.122.0/24 counter packets 17 bytes 1266 accept | |
| - iifname "virbr0" counter packets 0 bytes 0 reject | |
| - } | |
| - | |
| - chain LIBVIRT_FWI { | |
| - oifname "virbr0" ip daddr 192.168.122.0/24 ct state related,established counter packets 16 bytes 1306 accept | |
| - oifname "virbr0" counter packets 0 bytes 0 reject | |
| - } | |
| - | |
| - chain LIBVIRT_FWX { | |
| - iifname "virbr0" oifname "virbr0" counter packets 0 bytes 0 accept | |
| } | |
| } | |
| table ip6 filter { | |
| chain INPUT { | |
| type filter hook input priority filter; policy accept; | |
| - counter packets 0 bytes 0 jump LIBVIRT_INP | |
| } | |
| chain FORWARD { | |
| type filter hook forward priority filter; policy accept; | |
| - counter packets 0 bytes 0 jump LIBVIRT_FWX | |
| - counter packets 0 bytes 0 jump LIBVIRT_FWI | |
| - counter packets 0 bytes 0 jump LIBVIRT_FWO | |
| } | |
| chain OUTPUT { | |
| type filter hook output priority filter; policy accept; | |
| - counter packets 0 bytes 0 jump LIBVIRT_OUT | |
| - } | |
| - | |
| - chain LIBVIRT_INP { | |
| - } | |
| - | |
| - chain LIBVIRT_OUT { | |
| - } | |
| - | |
| - chain LIBVIRT_FWO { | |
| - } | |
| - | |
| - chain LIBVIRT_FWI { | |
| - } | |
| - | |
| - chain LIBVIRT_FWX { | |
| } | |
| } | |
| table bridge filter { | |
| @@ -131,11 +78,6 @@ | |
| chain POSTROUTING { | |
| type filter hook postrouting priority mangle; policy accept; | |
| - counter packets 40 bytes 3228 jump LIBVIRT_PRT | |
| - } | |
| - | |
| - chain LIBVIRT_PRT { | |
| - oifname "virbr0" meta l4proto udp udp dport 68 counter packets 0 bytes 0 # CHECKSUM fill | |
| } | |
| } | |
| table ip nat { | |
| @@ -149,20 +91,11 @@ | |
| chain POSTROUTING { | |
| type nat hook postrouting priority srcnat; policy accept; | |
| - counter packets 2 bytes 127 jump LIBVIRT_PRT | |
| } | |
| chain OUTPUT { | |
| type nat hook output priority -100; policy accept; | |
| } | |
| - | |
| - chain LIBVIRT_PRT { | |
| - ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return | |
| - ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return | |
| - meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535 | |
| - meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 2 bytes 127 masquerade to :1024-65535 | |
| - ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade | |
| - } | |
| } | |
| table ip6 security { | |
| chain INPUT { | |
| @@ -205,10 +138,6 @@ | |
| chain POSTROUTING { | |
| type filter hook postrouting priority mangle; policy accept; | |
| - counter packets 0 bytes 0 jump LIBVIRT_PRT | |
| - } | |
| - | |
| - chain LIBVIRT_PRT { | |
| } | |
| } | |
| table ip6 nat { | |
| @@ -222,15 +151,11 @@ | |
| chain POSTROUTING { | |
| type nat hook postrouting priority srcnat; policy accept; | |
| - counter packets 0 bytes 0 jump LIBVIRT_PRT | |
| } | |
| chain OUTPUT { | |
| type nat hook output priority -100; policy accept; | |
| } | |
| - | |
| - chain LIBVIRT_PRT { | |
| - } | |
| } | |
| table bridge nat { | |
| chain PREROUTING { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment