1

I am researching LXC containers. When I do verth network, libvirtd creates some iptables rules:

[root@VM ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 61 packets, 6229 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            10.0.0.0/24          ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       10.0.0.0/24          0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 34 packets, 4693 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68

and NAT:

[root@VM ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 5 packets, 812 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 5 packets, 812 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1 packets, 72 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1 packets, 72 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       10.0.0.0/24          224.0.0.0/24        
    0     0 RETURN     all  --  *      *       10.0.0.0/24          255.255.255.255     
    0     0 MASQUERADE  tcp  --  *      *       10.0.0.0/24         !10.0.0.0/24          masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       10.0.0.0/24         !10.0.0.0/24          masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       10.0.0.0/24         !10.0.0.0/24

I know I can forward port in following way:

iptables -t nat -A PREROUTING -p tcp -i enp0s3 --dport 81 -j DNAT --to-destination 10.0.0.10:22

iptables -I FORWARD -p tcp -d 10.0.0.10 --dport 22 -j ACCEPT

Important thing is I need to inject second rule at the top of the chain.

I am wondering, how to do this port forwarding in "standard" way. I tried using hook, but the hook was never called.

I tried hook as:

  • /etc/libvirt/hooks/qemu
  • /etc/libvirt/hooks/lxc
  • /etc/libvirt/hook/qemu
  • /etc/libvirt/hook/lxc
Nick
  • 826
  • 2
  • 15
  • 42

0 Answers0