libvirt + host firewall problem

Support for security such as Firewalls and securing linux
Post Reply
Posts: 1
Joined: 2015/01/21 07:34:44

libvirt + host firewall problem

Post by brokensystem » 2015/01/21 07:46:42

I'm using libvirt with kvm and that works great. My desire is to lock down the host system using a host firewall. Up to today I always used shorewall as my iptables mangement utility of choice. But this conflicts with libvirt's iptables management. I used libvirt to configure NAT for kvm guests. Libvirt sets up MASQ for that using iptables which works fine. But as soon as shorewall starts, it flushes the iptables and sets them up according to the configuration made in the shorewall files. What I then tried is to "translate" all libvirt iptables rules into shorewall to prevent losing functionality. But this works only partly and is an ugly hack anyway. As soon as I change the network config with libvirt for a guest, I have to make changes to shorewall as well.
So what would be the proper way to both secure the host system as well as using libvirt to manage the network of the kvm guests? Is libvirt coupled with firewalld in the CentOS world?

User avatar
Site Admin
Posts: 33038
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: libvirt + host firewall problem

Post by TrevorH » 2015/01/21 09:02:34

Is libvirt coupled with firewalld in the CentOS world?
I believe it is.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
Super Jamie
Posts: 310
Joined: 2014/01/10 23:44:51

Re: libvirt + host firewall problem

Post by Super Jamie » 2015/01/21 22:51:28

This is the exact sort of problem firewalld is designed to solve. It acts as a "state machine" for iptables and manages all the underlying complex iptables config without losing any connection tracking or allowing one management method to overwrite the rules of another.

When we introduce another management method like Shorewall, we remove the advantage which firewalld provides, and end up back where we were in EL6.

I've been running EL6 with iptables and libvirt for years. I don't allow libvirt to manage any firewalling or network interfaces, I add the NAT rules into iptables myself manually.

I originally found the correct iptables "translation" by flushing all rules (iptables -F) then applying NAT in virt-manager, then running iptables-save to generate the actual iptables commands I needed. I then integrated these new rules into my regular firewall config.

Post Reply