Page 3 of 3 FirstFirst 123
Results 21 to 27 of 27

Thread: virt-manager networking without iptables binary?

  1. #21
    Join Date
    Jun 2016
    Beans
    2,864
    Distro
    Xubuntu 22.04 Jammy Jellyfish

    Re: virt-manager networking without iptables binary?

    Thanks all for the clarifications So a bridge will only forward packets between the interfaces that are explicitly connected to the bridge, so passing anything else to the bridge and its network would require a specific effort, e.g. firewall rules to specifically perform NAT - so in the absence of such firewall rules, if only VMs' interfaces are connected to the bridge, it's a host-only network.

    After looking through the VirtualBox manual chapter TheFu suggested, I'm re-evaluating this goal -
    Quote Originally Posted by halogen2 View Post
    Bridged: for when the VM should act as another physical machine on the same network as the host, without the host's firewall applying to the VM's traffic,
    Think I might be better off doing NAT port forwarding and temporarily opening the forwarded port in the host firewall. Need to experiment with port forwarding to see if it would work to the desired effect.

    Quote Originally Posted by volkswagner View Post
    There are Wi-Fi routers or access points that can bridge the house/company Wi-Fi and provide wired LAN
    This could work, thanks for the suggestion. Have done it before once, and still have that extra router, but at this point that router is years EOL so would need to get another router to do this safely.
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    If your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  2. #22
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: virt-manager networking without iptables binary?

    Quote Originally Posted by halogen2 View Post
    Think I might be better off doing NAT port forwarding and temporarily opening the forwarded port in the host firewall. Need to experiment with port forwarding to see if it would work to the desired effect.
    I fail to see how the added complexity helps when you could just do a simple bridge, then setup a firewall on the guest that blocks all inbound ports, except ssh and the specific service ports you want open. OTOH, sometimes people like to do things the hard way, which is fine too.


    Quote Originally Posted by halogen2 View Post
    This could work, thanks for the suggestion. Have done it before once, and still have that extra router, but at this point that router is years EOL so would need to get another router to do this safely.
    All wifi routers aren't safe currently. Even the wifi-6 standard has known, working, attacks today. Since the early 2000s, I've always used a full VPN with any Wifi connection, even inside my house. All my computers and most IoT devices are wired ethernet connected, but 1 attic video camera, some tablets and phones only support wifi, so those all connect between the ISP router and my router, then use wireguard if they want access inside any specific subnets. Some people say I'm paranoid. When someone hacks your network and the only way that is possible is through wifi, you'd be paranoid too.

    OTOH, I use powerline networking to get wired networks to rooms that don't have any ethernet connections. If I need to upgrade, I'll probably switch to 2.5Gbps MoAC for greater bus bandwidth. I have COAX to most rooms already.

    BTW, I just got an Asus wifi-6 router ($38 used) to replace an older wifi-n router. Both were/are used to bridge wifi devices to the ISP's router. The wifi is mostly for house guests, though we do use the tablet to control media playback in the projector room. Setup was less than 5 minutes. Asus does the best job of security patching, thanks to an FTC lawsuit and outside mandated audits for another 10+ yrs. If you don't go with a pure AP from a reputable brand, Asus is the next best choice, IMHO - of course, all wifi needs a VPN to be secure. No getting around that that. All RF needs a full VPN.

  3. #23
    Join Date
    Feb 2019
    Location
    Virginia
    Beans
    377
    Distro
    Xubuntu 22.04 Jammy Jellyfish

    Re: virt-manager networking without iptables binary?

    +1 TheFu

    Quote Originally Posted by halogen2 View Post
    Thanks all for the clarifications So a bridge will only forward packets between the interfaces that are explicitly connected to the bridge, so passing anything else to the bridge and its network would require a specific effort, e.g. firewall rules to specifically perform NAT - so in the absence of such firewall rules, if only VMs' interfaces are connected to the bridge, it's a host-only network.
    Not sure I agree with this statement. The point of a bridge is to allow VMs to appear as just another host on the network. They can communicate with, and are reachable by other hosts on the network (subnet) because they are on a bridge. As mentioned, it's the firewall rules on each host that allow or deny traffic according to your needs. The KVM "default" network upon installation is NAT which hides VMs behind the host with only outboud internet traffic, perhaps good for a testing environment. So we can create a bridge, or other virtual network device to configure how our VMs participate on the network.
    Last edited by aljames2; March 3rd, 2024 at 10:05 PM. Reason: spelling

  4. #24
    Join Date
    May 2007
    Location
    NY's first capital
    Beans
    2,871
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: virt-manager networking without iptables binary?

    Quote Originally Posted by aljames2 View Post



    Not sure I agree with this statement. The point of a bridge is to allow VMs to appear as just another host on the network. They can communicate with, and are reachable by other hosts on the network (subnet) because they are on a bridge. As mentioned, it's the firewall rules on each host that allow or deny traffic according to your needs. The KVM "default" network upon installation is NAT which hides VMs behind the host with only outboud internet traffic, perhaps good for a testing environment. So we can create a bridge, or other virtual network device to configure how our VMs participate on the network.
    The function of the bridge is dependent upon which interfaces are included (plus firewall and routing). If a bridge is created without including the local LAN interface, how does that help your argument? I think you are only considering a limited number of bridge configurations. If I bridge my loopback interface, that won't inherently help me connect to my LAN. Consider this, you can create a bridge without any ports.
    Last edited by volkswagner; March 3rd, 2024 at 11:40 PM.
    Nothing is ever easy, but if it is difficult you must be doing it wrong.

  5. #25
    Join Date
    Feb 2019
    Location
    Virginia
    Beans
    377
    Distro
    Xubuntu 22.04 Jammy Jellyfish

    Re: virt-manager networking without iptables binary?

    Quote Originally Posted by volkswagner View Post
    I think you are only considering a limited number of bridge configurations. If I bridge my loopback interface, that won't inherently help me connect to my LAN. Consider this, you can create a bridge without any ports.
    It sounds like it. I probably don't know enough to carry on further here. I had not experienced these more advanced networking possibilities, so apologies to the OP. And thanks @volkswagner for giving me more learning rabbit holes to run down

  6. #26
    Join Date
    Jun 2016
    Beans
    2,864
    Distro
    Xubuntu 22.04 Jammy Jellyfish

    Re: virt-manager networking without iptables binary?

    Thanks again to all for the help and info! Think this is finally good to go.

    To summarize the solution:

    Quote Originally Posted by halogen2 View Post
    NAT: for Internet access with traffic to/from the VM filtered by the host's firewall
    Using the libvirt NAT network type worked after installing iptables-nft (from iptables package). To make it work despite the iptables-incompatibility of my nftables rules, had to install iptables-nft and rename my nftables firewall table before installing libvirt and virt-manager.

    Bridged: for when the VM should act as another physical machine on the same network as the host, without the host's firewall applying to the VM's traffic
    Decided to go with NAT port forwarding instead, which I got working based on nftables wiki on Destination NAT and libvirt info explaining that a firewall rule must be added to allow the forwarded traffic. Since I don't always want the port accessible from outside, didn't set this up as a QEMU hook, instead I manually run the commands to modify the firewall.

    And to answer TheFu:
    Quote Originally Posted by TheFu View Post
    I fail to see how the added complexity helps when you could just do a simple bridge, then setup a firewall on the guest that blocks all inbound ports, except ssh and the specific service ports you want open. OTOH, sometimes people like to do things the hard way, which is fine too.
    Partially for fun , partially out of curiosity to see if I could do it and if I could set up to connect to a KVM guest from outside without using additional hardware.

    The particular case here only requires one port. Now knowing what's involved in NAT port forwarding, I see why this would be "the hard way" and "added complexity" for anything beyond single-port cases. If something more complex comes up, would definitely try bridging ethernet through an Asus router.

    Quote Originally Posted by halogen2 View Post
    Host-only networking: for cases where networking is needed to connect to something on the host or another VM, but where allowing Internet access would be unsafe.
    Was achieved by creating a bridge interface in NetworkManager, not adding any other interfaces to the bridge, then setting the VM's NIC to Bridge to that interface.
    Xubuntu 22.04, ArchLinux ♦ System76 hardware, virt-manager/KVM, VirtualBox
    If your questions are resolved to your satisfaction, please use Thread Tools > "Mark this thread as solved..."

  7. #27
    Join Date
    Mar 2010
    Location
    USA
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: virt-manager networking without iptables binary?

    I see the need to add a caveat, for the just in case another factor is added to this discussion... (becaseu you entioned wifi rotuers)

    Network Bridges work at Network Level 3 (IP), whereas Wireless AP's work at Level2 (MAC address authentication). Just keep that in the back of your thoughts...

    +1 along with TheFu --- I also gave up on Network Manager years ago. For Sys Admins that review their logs (as they should), you will soon see why Network Manger is not stable, and causes a lot of it's own problems.

    "Concurrent coexistence of Windows, Linux and UNIX..." || Ubuntu user # 33563, Linux user # 533637
    Sticky: Graphics Resolution | UbuntuForums 'system-info' Script | Posting Guidelines | Code Tags

Page 3 of 3 FirstFirst 123

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •