[Users] default packet filtering rules on openvz7
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Mar 13 11:16:37 MSK 2020
On 03/11/2020 09:08 PM, Dmitry Konstantinov wrote:
> firewalld is disabled. That's among the very first things I do on
> servers. Search for 'virbr' and 'FORWARD' under /etc /usr /var
> /opt (find /$path -type f -print0 | xargs -0 grep -i virbr) doesn't
> return anything that might set up these rules.
Well, i've wrapped "iptables" and checked who calls it and it's libvirtd (if firewalld is disabled).
Example:
1794 ? Ssl 0:00 /usr/sbin/libvirtd
2117 ? S 0:00 \_ /bin/bash /usr/sbin/iptables -w --table filter --insert OUTPUT --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT
virbr0 - is managed by libvirtd, so the daemon configures its interface.
i'm not a libvirtd guru, so not sure where to check and correct configuration.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
> On Wed, 11 Mar 2020 17:22:03 +0300
> Konstantin Khorenko <khorenko at virtuozzo.com> wrote:
>
>> On 03/09/2020 04:12 PM, Dmitry Konstantinov wrote:
>>> Hello,
>>>
>>> I've noticed that after a fresh install I have few filtering rules
>>> that I do not need and would like to get rid of:
>>>
>>>
>>> [root at localhost ~]# iptables -n -L -v
>>> Chain INPUT (policy ACCEPT 2353 packets, 161K bytes) pkts bytes
>>> target prot opt in out source destination
>>> 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
>>> 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
>>> 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
>>> 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
>>>
>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
>>> 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with
>>> icmp-port-unreachable 0 0 REJECT all -- virbr0 * 0.0.0.0/0
>>> 0.0.0.0/0 reject-with icmp-port-unreachable
>>>
>>> Chain OUTPUT (policy ACCEPT 1547 packets, 356K bytes)
>>> pkts bytes target prot opt in out source
>>> destination
>>> 0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
>>> [root at localhost ~]#
>>>
>>> I failed to find anything that adds these rules. Is it hardcoded? If
>>> not, how do I disable them without writing a script to flush
>>> iptables?
>>
>> Hi,
>>
>> i guess rules are created upon firewalld configuration.
>>
>> > not, how do I disable them without writing a script to flush
>> > iptables?
>> may be just disable firewalld service.
>>
>> --
>> Best regards,
>>
>> Konstantin Khorenko,
>> Virtuozzo Linux Kernel Team
>> _______________________________________________
>> Users mailing list
>> Users at openvz.org
>> https://lists.openvz.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
> .
>
More information about the Users
mailing list