How do I prevent libvirt from adding iptables rules for guest NAT networks?

Solution 1

Well I've found an answer that suits me: I've gone back to school and learned to do it the old fashioned way. No need to use libvirt's fancy networking functions as I can just:

• set up my own bridged network(s) (not attached to any physical network port)
• use a DHCP server on the host and masquerade in iptables
• edit the libvirt guest config files to use the bridge(s)
• have complete flexibility in how I want to configure security with iptables

Solution 2

It is not possible to modify these rules, since they are not in a configuration file or a script, but in the sourcecode.

But in 2016 the "open"-network "forward mode" was added. When specified for a network, libvirt does not generate any iptables rules for the network. See bug 846810.

So edit your network (virsh net-edit) to <forward mode='open'/>.

open is like route, but there will be no firewall rules added to either enable or prevent any of this traffic. See Network XML format for more details.

Solution 3

Per Red Hat Bugzilla:

First, it is already possible to avoid the iptables rules - simply do not request a NAT based virtual network. The 'default' virtual network is intentionally NAT based. You are free to remove this & default one which doesn't provide NAT.

So to avoid the cron job:

virsh net-destroy default
virsh net-undefine default

Of course, as @user83664 wrote, you'll have to use either a bridge or hostonly networks going forward.

Related videos on Youtube

11 : 09

Computer Networking Tutorial - 40 - iptables Firewall Rules

thenewboston

154

43 : 39

VM Networking ( Libvirt / Bridge )

octetz

28

31 : 02

iptables Complete Guide | HackerSploit Linux Security

Linode

25

12 : 06

qemu/kvm bridge and NAT networking

Abstract programmer

23

01 : 58

How do I prevent libvirt from adding iptables rules for guest NAT networks? (2 Solutions!!)

Roel Van de Paar

7

Author by

Admin

Updated on September 18, 2022