It seems libvirtd is making these rules. I can restart libvirtd and the rules will who up again. On Sun, 2017-11-19 at 19:12 +0300, Andrei Borzenkov wrote:
19.11.2017 18:58, Wayne Patton пишет:
I have two NAT networks (192.168.122.0 & 192.168.124.0) setup in KVM with a VM on each network. I can communicate between the VM's only one way and not the other, both ssh and ping. I found that after I reboot, I have iptables rules active even though systemctl status SuSEfirewall2 shows off/disabled.
I can't reproduce it here.
If I flush the rules (iptables -F) then the VM's can communicate both ways like I expect. If I start & stop SuSEfirewall2 then the iptables rules are gone, the same behavior as after I flush the rules.
However on reboot, the iptables rules are active again even though the firewall is disabled. Output below shows the rules after a boot, and the rules after turning the firewall on and off.
How can I disable the rules all together?
You can find out what creates them.
host:~ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.124.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.124.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject- with icmp-port-unreachable REJECT all -- anywhere anywhere reject- with icmp-port-unreachable ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject- with icmp-port-unreachable REJECT all -- anywhere anywhere reject- with icmp-port-unreachable ACCEPT all -- anywhere 192.168.126.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.126.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject- with icmp-port-unreachable REJECT all -- anywhere anywhere reject- with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:bootpc ACCEPT udp -- anywhere anywhere udp dpt:bootpc ACCEPT udp -- anywhere anywhere udp dpt:bootpc
It does not look like anything created by SuSEfirewall (at least, in default configuration).