Custom ssh Port refused forwarding to VM-Guest in libvirt

[consuman]

Hi hi,

Okay, we did this. But no matter what we do, after a --reload this f***n rule is always back again.
I have no idea why this could be. Our Server seems to apply the rule over and over again.

We can temporary solve our Problem with this:

Code: Select all

	iptables -D FORWARD -o virbr0 -j REJECT 

	iptables -D FORWARD -i virbr0 -j REJECT

But after every firewall-cmd --reload it's back again. We can't save iptables through the normal command.
So, do you have any idea to get those two command as a rich rule, that is set for our Zone Internal for every --reload?
Because we think, that we might be missing a rule there and it is always set back to the "default", which is the rule, that drives us crazy.

Thank you so much for your Ideas!

[hunter86_bg]

I'm currently not able to test a rich rule for you.Could you tell me the main reason for switching from iptables to firewalld?

Edit:Can you restart libvirt daemon?

[equaliser]

I'm currently not able to test a rich rule for you.Could you tell me the main reason for switching from iptables to firewalld?

we switched because of the handling. We began with only iptables, but a lotof people recommend this because of managing zones. So thats what I personally like to manages zones that way.

There is one thing we are thinking about. Our server-provider has an individual configured network in there ISOs. I think there is something what automaticly sets a specific rule.

So for now, we know what the problem is. But we need a sulotion to let firewalld know, that he always has to note the

Code: Select all

  iptables -D FORWARD -o virbr0 -j REJECT

   iptables -D FORWARD -i virbr0 -j REJECT

after reload or restart.

Because, if this rule is not known by the firewalld, iptables always will set default, which is rejecting our In- and Out-traffic.

Thats why we cant use iptables or firewalld as normal as thousands of other users.

So all we need now is a rich rule for the above, so firewalld always remember not let iptables set this reject-rule. So what we need is to translate the rule to a rich rule.

Thats all.

Edit:Can you restart libvirt daemon?

Yeah, we can. So Libvirt is fine.

[hunter86_bg]

As a last resort , you can take the direct rule approach.

Direct Options
The direct options give a more direct access to the firewall. These options require user to know basic iptables concepts, i.e. table (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...),
commands (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets (ACCEPT/DROP/REJECT/...).

Direct options should be used only as a last resort when it's not possible to use for example --add-service=service or --add-rich-rule='rule'.

The first argument of each option has to be ipv4 or ipv6 or eb. With ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).

[--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
Add a rule with the arguments args to chain chain in table table with priority priority.

The priority is used to order rules. Priority 0 means add rule on top of the chain, with a higher priority the rule will be added further down. Rules with the same priority are on the same level
and the order of these rules is not fixed and may change. If you want to make sure that a rule will be added after another one, use a low priority for the first and a higher for the following.

You should use something like:

Code: Select all

firewall-cmd --direct --add-rule '{ ipv4 | ipv6 | eb } <table> <chain> <priority> <args>'

If it works then just save to permanent via:

Code: Select all

firewall-cmd --runtime-to-permanent && firewall-cmd --reload

Note: I haven't used the direct rule approach.
Reference:

Code: Select all

man firewall-cmd

-> Direct Options

[TrevorH]

It's libvirt that adds those forward rules in the first place.

[hunter86_bg]

It passed my mind, but I wasn't sure.

[hunter86_bg]

Ok, this seems that can be resolved by changing the mode of the Libvirt's network type to "routed".
Check the following link where it is explained: Routed_mode_2

[equaliser]

Uh, thats a very stunnung point you both talking about. We will watch that Libvirt-Config.

[hunter86_bg]

Don't forget to update here, no matter of the result.

[consuman]

Thak you all for your helpful Ideas!

Unfortunately we still don't see clear, but we will continue reseaching it! At the moment, we got our vritual Servers working, but it seems like, we don't get the whole picture so far. For expample: We are forwarding Port 80 to our virtual machine, which works fine, since websites were displayed properly, but if we try to update oure webserver via yum, it fails to get an awnser, cause its using the same port. To solve this, we have to take the forwarding rule away, update and put it back in place. Thats strange and makes me believe, that we don't understand how to make it right^^

I looked in our configuration of our virtual bridge and there is a Routing option swiched on. Maybe we got this already, but I'll have another look at it, and read the article again.

Of couse we will post our solution here! But it may take some more time to figure it out. Maybe speek personally to someone, who already did this

But it's a great thing! Its fun to set up virtual machines and firewall all mannually. First time, we really got control over packetflow in our network and it's okay, that we need some tine to get good at it.