[prev in list] [next in list] [prev in thread] [next in thread] 

List:       libvir-list
Subject:    Re: [libvirt] default networking issues
From:       "Daniel P. Berrange" <berrange () redhat ! com>
Date:       2008-07-31 8:55:02
Message-ID: 20080731085502.GG23888 () redhat ! com
[Download RAW message or body]

On Wed, Jul 30, 2008 at 03:44:33PM -0400, Bryan Kearney wrote:
> 
> 
> I think this is the voodoo.
> 
> 1) Add the following lines to /etc/sysconfig/iptables in the OUTPUT 
> chain of the *filter table:

No, no, no no.

> --insert FORWARD --destination 192.168.122.0/255.255.255.0 
> --out-interface virbr0 --match state --state ESTABLISHED,RELATED --jump 
> ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> 
> 2) Restart iptables

Don't do this.

> 3) Restart libvirtd

Don't do this.

> By doing (1), future reboots seem to work. But not doing (3) causes it 
> to appear not to work. Do any of the virt tools do (1) magically for you?

The libvirt default networking capability  will automatically setup the
correct iptables rules to allow outbound NAT based connectivity for guest
VMs. If this wasn't working there are two likely causes:

 - You run 'service iptables stop' which blew away the rules libvirt
   added
 - The 'net.ipv4.ip_forward' sysctl has been reset to 0

For the first problem you can do  'service libvirt reload' and it'll 
re-create its iptables rules. For the second problem edit /etc/sysctl.conf
to make sure its set to '1' and reload the sysctl settings.

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

[prev in list] [next in list] [prev in thread] [next in thread]