Ping a Specific Port

Question

Anonymouslemming

Asked: 2014-08-17 09:30:40 +0800 CST2014-08-17 09:30:40 +0800 CST 2014-08-17 09:30:40 +0800 CST

How to setup IPTables on KVM host - iptables-persistent is being ignored

772

I'm trying to setup some specific IPTables rules on an ubuntu 14.04.1 host that runs some KVM guests.

The box has multiple NICs with multiple IP addresses and the guests use different addresses based on their function.

I normally use iptables-persistent to achieve this, but for some reason, the rules under /etc/iptables/rules.v4 are not being loaded at boot time. iptables-persistent works correctly when libvirt is not installed.

If I run '/etc/init.d/iptables-persistent start' then the rules are loaded and the setup is as I expect. But at boot they are not. I've tried creating a very simple rules.v4 file to debug this, but it is still not loaded.

The init symlink for iptables-persistent exists at /etc/rc2.d/S37iptables-persistent

I have confirmed that ufw is disabled. I have also removed the nwfilter rules from /etc/libvirt/nwfilter and virsh nwfilter-list does not display any entries.

Any idea what else might be setting these rules and how I customise them as I want them ?

ufw status output

# ufw status
Status: inactive

virsh nwfilter-list output

# virsh nwfilter-list
 UUID                                  Name                 
------------------------------------------------------------------

contents of /etc/iptables/rules.v4

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOG_AND_DROP - [0:0]
-A INPUT -s 192.168.10.0/24 -i br0 -j ACCEPT
-A INPUT -s 192.168.11.0/24 -i br0 -j ACCEPT
-A LOG_AND_DROP -j LOG --log-prefix "iptables deny: " --log-level 7
-A LOG_AND_DROP -j DROP
COMMIT

output of iptables -L -n after boot (unwanted result)

# iptables -L -n -v
Chain INPUT (policy ACCEPT 12 packets, 912 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    0     0 ACCEPT     udp  --  tunnelbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  tunnelbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  tunnelbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  tunnelbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    0     0 ACCEPT     udp  --  mgmtbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  mgmtbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  mgmtbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  mgmtbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
  193 17300 ACCEPT     all  --  br0    *       192.168.10.0/24      0.0.0.0/0           
    0     0 ACCEPT     all  --  br0    *       192.168.11.0/24      0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  tunnelbr0 tunnelbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      tunnelbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  tunnelbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  mgmtbr0 mgmtbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      mgmtbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  mgmtbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 132 packets, 17456 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     udp  --  *      tunnelbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     udp  --  *      mgmtbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68

Chain LOG_AND_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 7 prefix "iptables deny: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Output of iptables -L -n -v after running /etc/init.d/iptables-persistent start (expected result)

# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   13   920 ACCEPT     all  --  br0    *       192.168.10.0/24      0.0.0.0/0           
    0     0 ACCEPT     all  --  br0    *       192.168.11.0/24      0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 8 packets, 1104 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain LOG_AND_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 7 prefix "iptables deny: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

3 Answers

Voted

Michael Hampton · Answer 1 · 2014-08-18T04:14:10+08:00

Michael Hampton

2014-08-18T04:14:10+08:002014-08-18T04:14:10+08:00

All of the "extra" rules you are seeing were added by the libvirt daemon to support (and secure) virtual networking for your virtual machine guests. You generally do not need to worry about these rules (and should not try to persist them, as then they would be duplicated at next boot).

It's also clear that all of your persistent firewall rules were added to the firewall.

It was between difficult and impossible to discern either of these facts without that critical -v switch for the `iptables command.

2

DanielRieken · Answer 2 · 2022-03-27T13:19:40+08:00

I know this question is very old, but since your question where these rules come from and how to customize them, is not fully answered yet, I will try to do so...

As Michael Hampton already told, these rules come from libvirt. Here are some quotes form the libvirt documentation:

Libvirt will optionally also provide DHCP services to the virtual network using DNSMASQ. In all cases, we need to allow DNS/DHCP queries to the host OS. Since we can't predict whether the host firewall setup is already allowing this, we insert 4 rules into the head of the INPUT chain

The next rules depend on the type of connectivity allowed, and go in the main FORWARD chain

The rules are controlled by "forward mode" in the configuration of each network. You can not modify these rules, since they are not in a configuration file or a script, but in the sourcecode. These iptables rules are not to be confused with the network-filters you mentioned (virsh nwfilter-list), since network-filters are applied to virtual machines. For more details see Network Filters.

In 2016 the "open"-network "forward mode" was added. When specified for a network, libvirt does not generate any iptables rules for the network. See bug 846810.

So edit your network (virsh net-edit) to <forward mode='open'/>.

open is like route, but there will be no firewall rules added to either enable or prevent any of this traffic. See Network XML format for more details.

Jakov Sosic · Answer 3 · 2014-08-17T16:13:08+08:00

Jakov Sosic

2014-08-17T16:13:08+08:002014-08-17T16:13:08+08:00

Did you check in /etc/network/interfaces for "pre-up" directive, which may look something like:

pre-up iptables-restore < /etc/iptables.rules

Another possibility on Ubuntu/Debian is that scripts are located in /etc/network/if-pre-up.d/ directory, so you should list the contents of that dir:

# ls -al /etc/network/if-pre-up.d/

Another possibility is that NetworkManager loads the rules, and you can check that by searching for firewall/iptables in following directory:

/etc/NetworkManager/dispatcher.d/

Also, check all scripts in /etc/init and /etc/init.d for "iptables" and "iptables-restore".

0

How to setup IPTables on KVM host - iptables-persistent is being ignored

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?