It seems libvirtd is making these rules. I can restart libvirtd and the rules will who up again. On Sun, 2017-11-19 at 19:12 +0300, Andrei Borzenkov wrote:

19.11.2017 18:58, Wayne Patton пишет:

...

I have two NAT networks (192.168.122.0 & 192.168.124.0) setup in KVM with a VM on each network. I can communicate between the VM's only one way and not the other, both ssh and ping. I found that after I reboot, I have iptables rules active even though systemctl status SuSEfirewall2 shows off/disabled.

I can't reproduce it here.

...

If I flush the rules (iptables -F) then the VM's can communicate both ways like I expect. If I start & stop SuSEfirewall2 then the iptables rules are gone, the same behavior as after I flush the rules.

However on reboot, the iptables rules are active again even though the firewall is disabled. Output below shows the rules after a boot, and the rules after turning the firewall on and off.

How can I disable the rules all together?

You can find out what creates them.

...

host:~ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.124.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.124.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject- with icmp-port-unreachable REJECT all -- anywhere anywhere reject- with icmp-port-unreachable ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject- with icmp-port-unreachable REJECT all -- anywhere anywhere reject- with icmp-port-unreachable ACCEPT all -- anywhere 192.168.126.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.126.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject- with icmp-port-unreachable REJECT all -- anywhere anywhere reject- with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:bootpc ACCEPT udp -- anywhere anywhere udp dpt:bootpc ACCEPT udp -- anywhere anywhere udp dpt:bootpc

It does not look like anything created by SuSEfirewall (at least, in default configuration).

Wayne Patton wrote:

OK I found a way around it . . . I created a hook script: /etc/libvirt/hooks/network with the contents of:

#!/bin/bash /usr/sbin/iptables -F

It removes the iptables rules when libvirtd starts.

If someone has a better idea, I am certainly open to it.

Try to understand what libvirt is doing and why: https://libvirt.org/formatnwfilter.html IMHO it's a set of pretty powerful security features. Ciao, Michael.

It seems libvirtd is making these rules. I can restart libvirtd and the rules will who up again. On Sun, 2017-11-19 at 19:12 +0300, Andrei Borzenkov wrote:

19.11.2017 18:58, Wayne Patton пишет:

...

I have two NAT networks (192.168.122.0 & 192.168.124.0) setup in KVM with a VM on each network. I can communicate between the VM's only one way and not the other, both ssh and ping. I found that after I reboot, I have iptables rules active even though systemctl status SuSEfirewall2 shows off/disabled.

I can't reproduce it here.

...

If I flush the rules (iptables -F) then the VM's can communicate both ways like I expect. If I start & stop SuSEfirewall2 then the iptables rules are gone, the same behavior as after I flush the rules.

However on reboot, the iptables rules are active again even though the firewall is disabled. Output below shows the rules after a boot, and the rules after turning the firewall on and off.

How can I disable the rules all together?

You can find out what creates them.

...

host:~ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.124.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.124.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject- with icmp-port-unreachable REJECT all -- anywhere anywhere reject- with icmp-port-unreachable ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject- with icmp-port-unreachable REJECT all -- anywhere anywhere reject- with icmp-port-unreachable ACCEPT all -- anywhere 192.168.126.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.126.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject- with icmp-port-unreachable REJECT all -- anywhere anywhere reject- with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:bootpc ACCEPT udp -- anywhere anywhere udp dpt:bootpc ACCEPT udp -- anywhere anywhere udp dpt:bootpc

It does not look like anything created by SuSEfirewall (at least, in default configuration).

Wayne Patton wrote:

OK I found a way around it . . . I created a hook script: /etc/libvirt/hooks/network with the contents of:

#!/bin/bash /usr/sbin/iptables -F

It removes the iptables rules when libvirtd starts.

If someone has a better idea, I am certainly open to it.

Try to understand what libvirt is doing and why: https://libvirt.org/formatnwfilter.html IMHO it's a set of pretty powerful security features. Ciao, Michael.