At first, I want to say: I know, it was done initially wrong and I want to avoid doing everything again from the scratch because of general downtime.
I am running libvirt/KVM on RHEL. I've got VM which runs with NAT networking profile (default one). I've set up port forwarding etc from host via sysconfig/iptables, everything is fine.
But if libvird daemon reloads for some internal reason, or receives SIGHUP - it reloads iptables configuration and adds rules from it's filtering profiles i.e. everything works as designed and documented (libvirt and firewall + libvirt nwfilter documentation) - there is no problem with SW, this is configuration issue.
But some rules introduce REJECTs before i need it and I can't connect to the machine via forwarded ports as seen below:
after running service iptables restart - everything will work as before.
Is there a way to force libvirt to change order of these two or disable these particular ones?
Maybe someone faced exactly the same issue and has answer ready.
Thanks
I feel your pain. I really wish libvirt supported this better.
Create a script that applies the port forwarding firewall rules on your guest. Be sure to use
iptables -Iso that your rules are inserted before libvirt's REJECT rule.You need to use hooks to run that script each time libvirt starts or is reloaded.
Also, you should make sure that the rules for libvirt and your port forwarding aren't saved in /etc/sysconfig/iptables. Let libvirt and your hook set those up.
You can create your own NAT network instead which means libvirt won't add any firewall rules. See the Custom NAT-based Network on this libvirt Networking Handbook.