How to add firewall rules at chain start, in CentOS with libvirt and iptables?

Question

With this /etc/sysconfig/iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j ACCEPT -s 192.168.3.0/24 -d 10.0.0.0/24
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

My FORWARD chain looks like this:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.3.0/24       10.0.0.0/24

Now when I start libvirtd FORWARD chain looks like this:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.0.0.0/24          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.0.0.0/24          anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  192.168.3.0/24       10.0.0.0/24

As you can see my rule for 192.168.3.0/24 went after the REJECT.

How do I place the rule for 192.168.3.0/24 in front of REJECT?

score 0 · Answer 1 · answered Oct 17 '17 at 16:44

0

-A is for Append and -I is for insert at the start of the rule list

answered Oct 17 '17 at 16:44

DevOps

720
5
16

1

Absolutely right, but as iptables is started before libvirt it makes no difference. I guess I should insert a rule for 192.168.0.0/24 via libvirt. – Ulrich-Lorenz Schlüter Oct 17 '17 at 17:08
You could change the start order no ? – DevOps Oct 18 '17 at 07:23

Ulrich-Lorenz Schlüter · Accepted Answer · 2017-10-20T09:36:24.343

I finally used a libvirt network script hook to solve my problem: libvirt script hook

# cat /etc/libvirt/hooks/network 

#!/bin/bash

NAME=$1
TASK=$2
IPTABLES=/usr/sbin/iptables

if [ $NAME = "default" ] ;then
  case "$TASK" in 
  # hook is called with <network_name> started begin -
  started)
      $IPTABLES -I FORWARD -s 192.168.3.0/24 -d 10.0.0.0/24 -j ACCEPT
  ;;
  # hook is called with <network_name> stopped end -
  stopped)
      $IPTABLES -D FORWARD -s 192.168.3.0/24 -d 10.0.0.0/24 -j ACCEPT
  ;;
  *)
      echo "qemu hook called with unexpected options $*" >&2
  ;;
  esac
fi

Now my rule appears first. The way I would prefer most is via this: libvirt nwfilter But I can't get it working.

How to add firewall rules at chain start, in CentOS with libvirt and iptables?

2 Answers2