Problems with nwfilters/iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hi all,

I've got a problem with nwfilters/iptables. For one of my guest's
interfaces, I have established the following filter:
--8<---------------cut here---------------start------------->8---
<filter name='p-mgmt' chain='root'>
  <uuid>94fdd15b-b380-ba8c-6685-91206829adc7</uuid>
  <filterref filter='clean-traffic'/>
  <rule action='accept' direction='in' priority='500'>
    <tcp dstportstart='22'/>
  </rule>
  <rule action='drop' direction='inout' priority='1000'>
    <all/>
  </rule>
</filter>
</filter>--8<---------------cut here---------------end--------------->8---
The intent is to allow incoming ssh only.

However, ssh from my host to my guest does not work. This is the
relevant iptables excerpt with the filter given as above:
--8<---------------cut here---------------start------------->8---
root:~# iptables -L HI-vnet5
Chain HI-vnet5 (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp spt:ssh state ESTABLISHED ctdir ORIGINAL
DROP       all  --  anywhere             anywhere 
root:~# 
--8<---------------cut here---------------end--------------->8---

The chain relations are: INPUT -> libvirt-host-in -> HI-vnet5.

The interesting thing is: If I insert the same rule again, but with
ctdir reversed, everything works just fine:
--8<---------------cut here---------------start------------->8---
root:~# iptables -I HI-vnet5 1 -p tcp --sport 22 -m state --state ESTABLISHED -m conntrack --ctdir REPLY -j RETURN
root:~# iptables -L HI-vnet5
Chain HI-vnet5 (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp spt:ssh state ESTABLISHED ctdir REPLY
RETURN     tcp  --  anywhere             anywhere             tcp spt:ssh state ESTABLISHED ctdir ORIGINAL
DROP       all  --  anywhere             anywhere            
root:~#
--8<---------------cut here---------------end--------------->8---

I am not an iptables expert, but if my guest's ssh daemon replies to my
host's requests (and thus the packets are traversing my host's INPUT
chain), I would guess that the direction is "REPLY" rather than
"ORIGINAL".

I'm really stuck with this and it would be really great if someone could
clarify things to me!

I'm running Ubuntu 12.04 (kernel 3.2.0-20-generic) coming with libvirt
0.9.8-2ubuntu1.

Best,

Nicolai


[Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]

Powered by Linux

Google
  Web www.spinics.net