iptables rule affects vnet0?

Wed, 09 Apr 2025 09:57:59 -0700 

Greetings,

I have a 2 vms on a host that can communicate with other hosts on the system.
the two vms are connected by a virtsw0 bridge (vm1 and vm2) and on of the vms 
(vm1) has another connection (vnet0) to the host.
it seems that the host can only communicate with the vm that has a direct 
connection to it and not the other vm (virtsw0 allows connection beteen both 
vms)
here are the rules libvirt creates:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N LIBVIRT_FWI
-N LIBVIRT_FWO
-N LIBVIRT_FWX
-N LIBVIRT_INP
-N LIBVIRT_OUT
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -o virsw0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virsw0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virsw0 -o virsw0 -j ACCEPT
-A LIBVIRT_INP -i virsw0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virsw0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virsw0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virsw0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virsw0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virsw0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virsw0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virsw0 -p tcp -m tcp --dport 68 -j ACCEPT

and here are the stats:
Chain INPUT (policy ACCEPT 17405 packets, 1677K bytes)
 pkts bytes target     prot opt in     out     source               destination
17434 1688K LIBVIRT_INP  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LIBVIRT_FWX  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LIBVIRT_FWI  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LIBVIRT_FWO  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 21058 packets, 3788K bytes)
 pkts bytes target     prot opt in     out     source               destination
21058 3788K LIBVIRT_OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LIBVIRT_FWI (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  *      virsw0  0.0.0.0/0            0.0.0.0/0   
         reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  virsw0 *       0.0.0.0/0            0.0.0.0/0   
         reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  virsw0 virsw0  0.0.0.0/0            0.0.0.0/0

Chain LIBVIRT_INP (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  virsw0 *       0.0.0.0/0            0.0.0.0/0   
         udp dpt:53
    0     0 ACCEPT     tcp  --  virsw0 *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:53
   29 10608 ACCEPT     udp  --  virsw0 *       0.0.0.0/0            0.0.0.0/0   
         udp dpt:67
    0     0 ACCEPT     tcp  --  virsw0 *       0.0.0.0/0            0.0.0.0/0   
         tcp dpt:67

Chain LIBVIRT_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      virsw0  0.0.0.0/0            0.0.0.0/0   
         udp dpt:53
    0     0 ACCEPT     tcp  --  *      virsw0  0.0.0.0/0            0.0.0.0/0   
         tcp dpt:53
    0     0 ACCEPT     udp  --  *      virsw0  0.0.0.0/0            0.0.0.0/0   
         udp dpt:68
    0     0 ACCEPT     tcp  --  *      virsw0  0.0.0.0/0            0.0.0.0/0   
         tcp dpt:68

is it possible I cannot access vm2 from the host because of the rules above?

Thanks,

Dagg

Reply via email to