Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 27

Thread: virt-manager networking without iptables binary?

  1. #11
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: virt-manager networking without iptables binary?

    firewalld and the virtual network driver

    If firewalld is active on the host, libvirt will attempt to place the bridge interface of a libvirt virtual network into the firewalld zone named "libvirt" (thus making all guest->host traffic on that network subject to the rules of the "libvirt" zone). This is done because, if firewalld is using its nftables backend (available since firewalld 0.6.0) the default firewalld zone (which would be used if libvirt didn't explicitly set the zone) prevents forwarding traffic from guests through the bridge, as well as preventing DHCP, DNS, and most other traffic from guests to host. The zone named "libvirt" is installed into the firewalld configuration by libvirt (not by firewalld), and allows forwarded traffic through the bridge as well as DHCP, DNS, TFTP, and SSH traffic to the host - depending on firewalld's backend this will be implemented via either iptables or nftables rules. libvirt's own rules outlined above will *always* be iptables rules regardless of which backend is in use by firewalld.
    Source: https://libvirt.org/firewall.html#fi...network-driver

    Mine are very basic on this set-up:
    Code:
    virsh nwfilter-list
     UUID                                   Name
    -----------------------------------------------------------------
     606d786b-10b0-4b1b-98f5-5dea9326ae97   allow-arp
     a7746631-2e20-46b3-86bc-b4c5fe4a1208   allow-dhcp
     d6588fc2-7874-4fb1-9ffd-17f94237e344   allow-dhcp-server
     7bb6a34e-6bb1-49e1-9f41-3adb75c2fb00   allow-dhcpv6
     e94b5dba-bff1-404b-9170-0631d5d84739   allow-dhcpv6-server
     9f479bf2-a47e-43cd-a784-870d202809c1   allow-incoming-ipv4
     43a2ca94-f098-472e-9a33-051e225bd885   allow-incoming-ipv6
     6aff8004-39c2-4205-a159-8f002484cff1   allow-ipv4
     fe48d5f0-07eb-4e98-bfb6-2985489b7ace   allow-ipv6
     4847be07-2989-4eaa-90e8-51cc39c66c17   clean-traffic
     75d7b236-d527-45fd-9413-977f8e242bf6   clean-traffic-gateway
     a4a834c7-a867-4473-a517-bc6e77897c7a   no-arp-ip-spoofing
     8bb99a08-63e1-4b48-b999-32ba9844f642   no-arp-mac-spoofing
     efeed4c9-0534-4c86-b428-b94b7d4e8b88   no-arp-spoofing
     0f98375e-de17-4c97-a0ad-daf79837aa1a   no-ip-multicast
     d51bb497-5596-41f8-b5ef-cafc740a14b9   no-ip-spoofing
     3c5f7c58-7e35-4c37-b943-02e7fd9102f0   no-ipv6-multicast
     a65c5c5a-6364-4935-b9fa-94415e9995eb   no-ipv6-spoofing
     3daac86c-d45b-4583-a670-a4932d8711ca   no-mac-broadcast
     111a1ae2-2e2d-4696-970c-cb675198d3ee   no-mac-spoofing
     f2a7c870-2c7d-4f46-ad37-d83308af4f44   no-other-l2-traffic
     62e36467-17c3-4b1f-809f-89a361842d27   no-other-rarp-traffic
     dab30a8f-4ad2-4784-8f47-70dc5f6a25a0   qemu-announce-self
     b96ed81f-117a-430d-9181-ac33b7c3a70f   qemu-announce-self-rarp
    From the host.
    Last edited by 1fallen; February 26th, 2024 at 12:25 AM.
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

  2. #12
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: virt-manager networking without iptables binary?

    Quote Originally Posted by halogen2 View Post
    Ugh That explains it, thanks. Unfortunately neither the test host nor the future production host are physically located where a wired Internet connection is available, and changing this isn't feasible
    • Powerline Networking
    • MoCA Networking


    I use PowerLine to connect different floors, but if I were doing it today, I'd go with 2.5Gbps MoCA instead. MoCA gets the rated bandwidth if it works. PowerLinux for me was 1/10th the advertised speed on the box. I did lots of tests around the house to see it degrade. https://blog.jdpfu.com/2015/08/27/po...ernet-adapters Nobody even gets 50% of the marketing number on the box. That's fine. It is still better than wifi, since almost anything is better than any RF signaling.

    Actually, I could use a MoCA setup with 3 nodes to replace the powerline setup that is almost 10 yrs old now. Too many hobbies being worked right now, so it will need to wait for a trial. MoCA has lots of little issues, so be certain to read up on those in general and for the specific models you consider. Read that 1 of the sets didn't have a factory reset button and certain settings were stuck due to that. That was a few years ago. It should be long fixed. Powerline has issues too, but if it works, it is basically like a slow ethernet bridge and devices don't see it besides the slower connection.

    It should be obvious, but we are using existing house wiring for both these non-CAT5e+ connections. If your house isn't wired with COAX or electrical plugs in the desired locations, then that would make using one or both less than useful. My house has COAX to almost every room that isn't a bathroom or closet. Not all the COAX is connected anywhere. The terminal is outside in the demarcation used by the cable company, so I'd need to ensure the different COAX lines for my network are connected to the distribution switch there.

  3. #13
    Join Date
    Jun 2016
    Beans
    2,831
    Distro
    Xubuntu

    Re: virt-manager networking without iptables binary?

    Quote Originally Posted by halogen2 View Post
    I was able to work around the error with sudo iptables -L -v by renaming my firewall table to something other than filter , which causes iptables to report an empty firewall (nft still reports all rules). However, virt-manager continues to throw this same error dialog even after the rename and sudo iptables -L -v is working.
    Well that was strange. Setting this up on the production host, the nftables table rename does completely solve the problem there, virt-manager is able to use iptables-nft no problem, and the VM can get internet access with NAT network. Thanks The Cog for your advice!

    Still wondering about this though? -
    Quote Originally Posted by halogen2 View Post
    the Open network appears to be working as host-only networking, solving one of the 3 issues. How can I prove this network is really isolated to host-only, and not just not configured for available Internet or LAN access?
    How does this differ from Isolated network, which description matches the way the Open network appears to function?

    Quote Originally Posted by TheFu View Post
    • Powerline Networking
    • MoCA Networking

    ...
    If your house isn't wired with COAX or electrical plugs in the desired locations, then that would make using one or both less than useful.
    No accessible coax cables or extra plugs in this location, but good to know about those options, I was not aware of them. Thanks for the info.
    Last edited by halogen2; February 26th, 2024 at 11:43 PM.
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    When your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  4. #14
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: virt-manager networking without iptables binary?

    I'm struggling to understand what the difference is between NAT and bridged if you are going to open ports to the guest. Firewalls can run inside the VM and do any firewalling like a physical host provides. I run my VPN server inside a VM guest to take advantage of this.

    If you just want to run 1 network service inside a protected area, perhaps a Linux Container would be a better choice? Containers use 1/10th (or less) the overhead that a full VM uses. If you use Docker, forwarding 1 port into the container is normal. If you use LXC/LXD, you can treat it like a VM, just without a firewall. Containers shouldn't be run with elevated privileges, so they shouldn't be able to run a firewall unless someone screwed up (cough docker). Running a container with privilege sorta defeats 99% of the security that Linux Containers provide by running as nobody users.

  5. #15
    Join Date
    Jun 2016
    Beans
    2,831
    Distro
    Xubuntu

    Re: virt-manager networking without iptables binary?

    Quote Originally Posted by TheFu View Post
    I'm struggling to understand what the difference is between NAT and bridged if you are going to open ports to the guest.
    99% of the time I use a guest with open ports, I only want the host and/or specific other guests to be able to access the open ports. It's simpler, and potentially less attack surface, to use a networking setup that "just has" this isolation than to effect it using guest firewall rules.
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    When your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  6. #16
    Join Date
    Jun 2016
    Beans
    2,831
    Distro
    Xubuntu

    Re: virt-manager networking without iptables binary?

    If I manually create a bridge interface in nm-connection-editor, don't add any other interfaces to it, and set up VMs with Bridge networking to this interface, can I be sure this is a host-only network? With such bridge, traffic between host and guests is working, as is guest-to-guest traffic, and on the host ip link show master <bridge_interface_name> shows only the vnet interfaces for the VMs.
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    When your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  7. #17
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: virt-manager networking without iptables binary?

    I purge network-manager from all my systems, since the bad times around 2012. NM is one of the tools I have no time to bother using.

    Bridges aren't for host-only networks.

  8. #18
    Join Date
    Jun 2016
    Beans
    2,831
    Distro
    Xubuntu

    Re: virt-manager networking without iptables binary?

    Quote Originally Posted by TheFu View Post
    Bridges aren't for host-only networks.

    Could you please elaborate on this?

    Based on attempting to read this (but don't currently have enough networking knowledge to get my head around everything written there), I thought bridges are basically virtual network switches, which could be configured for use for anything a physical network switch could be used for?

    What would be the correct/best way to create a host-only network between virt-manager VMs which doesn't need firewall rules to enforce and where libvirt doesn't start a dnsmasq instance?
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    When your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  9. #19
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: virt-manager networking without iptables binary?

    Sorry, I don't do host-only networking. I use normal linux bridges which connect bi-directionally A <-----> B. That's what a bridge does. It connects two things usually over a canyon or some sort of water. It is bi-directional. Of course, you can setup blocks on the inbound side, if you like. That would be a firewall, separate from the bridge.

    The virtualbox manual, chapter 6 has a good explanation.

  10. #20
    Join Date
    May 2007
    Location
    NY's first capital
    Beans
    2,868
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: virt-manager networking without iptables binary?

    It seems like running from Wi-Fi card is not contributing to the issue. I’ll add to the other suggestions in case using the LAN port would be better. There are Wi-Fi routers or access points that can bridge the house/company Wi-Fi and provide wired LAN to the laptop’s NIC.


    For private/host only networks, can’t you create a virtual bridge per VM to keep networking between host & vm? This may complicate your NAT rules to provide Internet to the VM.

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •