[Users] default packet filtering rules on openvz7

Konstantin Khorenko khorenko at virtuozzo.com
Fri Mar 13 11:16:37 MSK 2020 

On 03/11/2020 09:08 PM, Dmitry Konstantinov wrote:
> firewalld is disabled. That's among the very first things I do on
> servers. Search for 'virbr' and 'FORWARD' under /etc /usr /var
> /opt (find /$path -type f -print0 | xargs -0 grep -i virbr) doesn't
> return anything that might set up these rules.

Well, i've wrapped "iptables" and checked who calls it and it's libvirtd (if firewalld is disabled).
Example:
    1794 ?        Ssl    0:00 /usr/sbin/libvirtd
    2117 ?        S      0:00  \_ /bin/bash /usr/sbin/iptables -w --table filter --insert OUTPUT --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT

virbr0 - is managed by libvirtd, so the daemon configures its interface.

i'm not a libvirtd guru, so not sure where to check and correct configuration.

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

> On Wed, 11 Mar 2020 17:22:03 +0300
> Konstantin Khorenko <khorenko at virtuozzo.com> wrote:
>
>> On 03/09/2020 04:12 PM, Dmitry Konstantinov wrote:
>>> Hello,
>>>
>>> I've noticed that after a fresh install I have few filtering rules
>>> that I do not need and would like to get rid of:
>>>
>>>
>>> [root at localhost ~]# iptables -n -L -v
>>> Chain INPUT (policy ACCEPT 2353 packets, 161K bytes)  pkts bytes
>>> target     prot opt in     out     source destination
>>> 0 0 ACCEPT     udp  --  virbr0 * 0.0.0.0/0  0.0.0.0/0 udp dpt:53
>>> 0 0 ACCEPT tcp  --  virbr0 *     0.0.0.0/0  0.0.0.0/0 tcp dpt:53
>>> 0 0 ACCEPT     udp  --  virbr0 * 0.0.0.0/0  0.0.0.0/0 udp dpt:67
>>> 0 0 ACCEPT tcp  --  virbr0 *     0.0.0.0/0  0.0.0.0/0 tcp dpt:67
>>>
>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>>  pkts bytes target     prot opt in     out     source
>>> destination
>>> 0 0 ACCEPT  all  --  virbr0 virbr0 0.0.0.0/0  0.0.0.0/0
>>> 0 0 REJECT  all  --  * virbr0  0.0.0.0/0 0.0.0.0/0 reject-with
>>> icmp-port-unreachable 0 0 REJECT  all  --  virbr0 *  0.0.0.0/0
>>> 0.0.0.0/0 reject-with icmp-port-unreachable
>>>
>>> Chain OUTPUT (policy ACCEPT 1547 packets, 356K bytes)
>>>  pkts bytes target     prot opt in     out     source
>>> destination
>>> 0 0 ACCEPT  udp  --  * virbr0  0.0.0.0/0  0.0.0.0/0 udp dpt:68
>>> [root at localhost ~]#
>>>
>>> I failed to find anything that adds these rules. Is it hardcoded? If
>>> not, how do I disable them without writing a script to flush
>>> iptables?
>>
>> Hi,
>>
>> i guess rules are created upon firewalld configuration.
>>
>>  > not, how do I disable them without writing a script to flush
>>  > iptables?
>> may be just disable firewalld service.
>>
>> --
>> Best regards,
>>
>> Konstantin Khorenko,
>> Virtuozzo Linux Kernel Team
>> _______________________________________________
>> Users mailing list
>> Users at openvz.org
>> https://lists.openvz.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
> .
>

More information about the Users mailing list