Scientific Linux

  Reply to this topicStart new topicStart Poll

> iptables rule set lacking libvirt rules
 Posted: May 1 2013, 07:52 PM
Quote Post

SLF Newbie

Group: Members
Posts: 3
Member No.: 2461
Joined: 1-May 13


I have figured this out by discovering that iptables holds the rules libvirt sets in memory, so they are not visible in /etc/sysconfig/iptables file until saved, and that the actual problem was that I needed to configure iptables to allow FTP input from the virtual networks.

All sorted and a little learnt - I expect this is simple stuff for the people here so if a moderator reads this please delete my post.

**** Original Post ****

Hoping someone kind and knowledgeable will be able to help me with this newbie question!

Scientific Linux 6.2 installed on a laptop.

I am attempting to install virtual machine guests from media hosted on a local FTP server on my laptop. If I turn off iptables the install works fine but if I turn iptables back on the installation fails with an error message about the network controller or being unable to retrieve the installation disc image.

Unable to retrieve

If I stop iptables there is no problem and the vm guest install works fine.

From reading up on libvirt there should be rules in my iptables configuration and if not present due to being wiped, the rules can be reloaded by sending a SIGHUP signal to libvirt - but this does not seem to work for me.

Iptables config -

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

The nearest I have got to a solution is in the libvirt documentation on firewalls -

“Finally, in terms of problems we have in deployment. The biggest problem is that if the admin does service iptables restart all our work gets blown away. We've experimented with using lokkit to record our custom rules in a persistent config file, but that caused different problem. Admins who were not using lokkit for their config found that all their own rules got blown away. So we threw away our lokkit code. Instead we document that if you run service iptables restart, you need to send SIGHUP to libvirt to make it recreate its rules.”

The method I have attempted for SIGHUP has been both kill, killall with no success and the laptop has been reported a number of times, which I would guess has the same effect.

$ ps –e | grep “libvirt”
2400 ? 00:00:08 libvirtd
$ kill –HUP 2400

I am sure that it my greenness that is holding me back here and the solution is fairly straight-forward – so if someone who knows could give me a bit of advice it would be very much appreciated.
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll