Hi Darragh,
On Tue, 2010-11-16 at 19:26 +0000, Bailey, Darragh wrote:
>> While configuring a separate bridge for some virtual hosts and looking
> at the existing iptables nat table I could see the following rules
> which are added in by libvirtd. I know this for certain since there is
> a bug in fedora that if the iptables are restarted the rules to
> support NAT with the default virtual network created by libvirtd are
> not loaded, and requires calling 'service libvirtd reload' to fix it.
Yeah, the issue is that iptables has no mechanism by which libvirt can
register its rules without overwriting user's custom rules.
> MASQUERADE tcp -- 10.2.0.0/24 !10.2.0.0/24 masq ports: 1024-65535
> MASQUERADE udp -- 10.2.0.0/24 !10.2.0.0/24 masq ports: 1024-65535
> MASQUERADE all -- 10.2.0.0/24 !10.2.0.0/24
>> I've seen these mentioned on a few sites that I've looked at, but none
> seem to touch on what exactly they do. Make sure all tcp & udp
> connections when being nat'ed are routed using ports in the range
> 1024-65535 on the local system? Isn't that
Funky, I hadn't seen that before. The idea is to prevent the guest to
use source ports < 1024 so that NAT-ed guests can't access remote NFS
mounts configured with the "secure" option which authorizes clients
based on their source port.
See this patch and the bugzilla mentioned:
https://www.redhat.com/archives/libvir-list/2010-July/msg00219.html
Cheers,
Mark.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
