Mailinglist Archive: opensuse-factory (765 mails)

< Previous Next >
Re: [opensuse-factory] iptables active while SuSEfirewall2 is stopped/disabled?
OK I found a way around it . . . I created a hook script:
/etc/libvirt/hooks/network with the contents of:

#!/bin/bash
/usr/sbin/iptables -F

It removes the iptables rules when libvirtd starts.

If someone has a better idea, I am certainly open to it.

Wayne




On Sun, 2017-11-19 at 19:12 +0300, Andrei Borzenkov wrote:
19.11.2017 18:58, Wayne Patton пишет:
I have two NAT networks (192.168.122.0 & 192.168.124.0) setup in
KVM
with a VM on each network. I can communicate between the VM's only
one
way and not the other, both ssh and ping. I found that after I
reboot,
I have iptables rules active even though systemctl status
SuSEfirewall2
shows off/disabled.


I can't reproduce it here.

If I flush the rules (iptables -F) then the VM's can communicate
both
ways like I expect. If I start & stop SuSEfirewall2 then the
iptables
rules are gone, the same behavior as after I flush the rules.

However on reboot, the iptables rules are active again even though
the
firewall is disabled. Output below shows the rules after a boot,
and
the rules after turning the firewall on and off.

How can I disable the rules all together?


You can find out what creates them.



host:~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp
dpt:domain
ACCEPT tcp -- anywhere anywhere tcp
dpt:domain
ACCEPT udp -- anywhere anywhere udp
dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp
dpt:bootps
ACCEPT udp -- anywhere anywhere udp
dpt:domain
ACCEPT tcp -- anywhere anywhere tcp
dpt:domain
ACCEPT udp -- anywhere anywhere udp
dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp
dpt:bootps
ACCEPT udp -- anywhere anywhere udp
dpt:domain
ACCEPT tcp -- anywhere anywhere tcp
dpt:domain
ACCEPT udp -- anywhere anywhere udp
dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp
dpt:bootps

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all
-- anywhere 192.168.124.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- 192.168.124.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all
-- anywhere anywhere reject-
with icmp-port-unreachable
REJECT all
-- anywhere anywhere reject-
with icmp-port-unreachable
ACCEPT all
-- anywhere 192.168.122.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all
-- anywhere anywhere reject-
with icmp-port-unreachable
REJECT all
-- anywhere anywhere reject-
with icmp-port-unreachable
ACCEPT all
-- anywhere 192.168.126.0/24 ctstate
RELATED,ESTABLISHED
ACCEPT all -- 192.168.126.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all
-- anywhere anywhere reject-
with icmp-port-unreachable
REJECT all
-- anywhere anywhere reject-
with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp
dpt:bootpc
ACCEPT udp -- anywhere anywhere udp
dpt:bootpc
ACCEPT udp -- anywhere anywhere udp
dpt:bootpc



It does not look like anything created by SuSEfirewall (at least, in
default configuration).N�����r��y隊Z)z{.���r�+�맲��r��z�^�ˬz��N�(�֜��^�
ޭ隊Z)z{.���r�+��0�������Ǩ�
< Previous Next >
Follow Ups