virt-manager networking without iptables binary?

[1fallen]

firewalld and the virtual network driver

If firewalld is active on the host, libvirt will attempt to place the bridge interface of a libvirt virtual network into the firewalld zone named "libvirt" (thus making all guest->host traffic on that network subject to the rules of the "libvirt" zone). This is done because, if firewalld is using its nftables backend (available since firewalld 0.6.0) the default firewalld zone (which would be used if libvirt didn't explicitly set the zone) prevents forwarding traffic from guests through the bridge, as well as preventing DHCP, DNS, and most other traffic from guests to host. The zone named "libvirt" is installed into the firewalld configuration by libvirt (not by firewalld), and allows forwarded traffic through the bridge as well as DHCP, DNS, TFTP, and SSH traffic to the host - depending on firewalld's backend this will be implemented via either iptables or nftables rules. libvirt's own rules outlined above will *always* be iptables rules regardless of which backend is in use by firewalld.

Source: https://libvirt.org/firewall.html#fi...network-driver

Mine are very basic on this set-up:

Code:

virsh nwfilter-list
 UUID                                   Name
-----------------------------------------------------------------
 606d786b-10b0-4b1b-98f5-5dea9326ae97   allow-arp
 a7746631-2e20-46b3-86bc-b4c5fe4a1208   allow-dhcp
 d6588fc2-7874-4fb1-9ffd-17f94237e344   allow-dhcp-server
 7bb6a34e-6bb1-49e1-9f41-3adb75c2fb00   allow-dhcpv6
 e94b5dba-bff1-404b-9170-0631d5d84739   allow-dhcpv6-server
 9f479bf2-a47e-43cd-a784-870d202809c1   allow-incoming-ipv4
 43a2ca94-f098-472e-9a33-051e225bd885   allow-incoming-ipv6
 6aff8004-39c2-4205-a159-8f002484cff1   allow-ipv4
 fe48d5f0-07eb-4e98-bfb6-2985489b7ace   allow-ipv6
 4847be07-2989-4eaa-90e8-51cc39c66c17   clean-traffic
 75d7b236-d527-45fd-9413-977f8e242bf6   clean-traffic-gateway
 a4a834c7-a867-4473-a517-bc6e77897c7a   no-arp-ip-spoofing
 8bb99a08-63e1-4b48-b999-32ba9844f642   no-arp-mac-spoofing
 efeed4c9-0534-4c86-b428-b94b7d4e8b88   no-arp-spoofing
 0f98375e-de17-4c97-a0ad-daf79837aa1a   no-ip-multicast
 d51bb497-5596-41f8-b5ef-cafc740a14b9   no-ip-spoofing
 3c5f7c58-7e35-4c37-b943-02e7fd9102f0   no-ipv6-multicast
 a65c5c5a-6364-4935-b9fa-94415e9995eb   no-ipv6-spoofing
 3daac86c-d45b-4583-a670-a4932d8711ca   no-mac-broadcast
 111a1ae2-2e2d-4696-970c-cb675198d3ee   no-mac-spoofing
 f2a7c870-2c7d-4f46-ad37-d83308af4f44   no-other-l2-traffic
 62e36467-17c3-4b1f-809f-89a361842d27   no-other-rarp-traffic
 dab30a8f-4ad2-4784-8f47-70dc5f6a25a0   qemu-announce-self
 b96ed81f-117a-430d-9181-ac33b7c3a70f   qemu-announce-self-rarp

From the host.

[TheFu]

Ugh That explains it, thanks. Unfortunately neither the test host nor the future production host are physically located where a wired Internet connection is available, and changing this isn't feasible

• Powerline Networking
• MoCA Networking

I use PowerLine to connect different floors, but if I were doing it today, I'd go with 2.5Gbps MoCA instead. MoCA gets the rated bandwidth if it works. PowerLinux for me was 1/10th the advertised speed on the box. I did lots of tests around the house to see it degrade. https://blog.jdpfu.com/2015/08/27/po...ernet-adapters Nobody even gets 50% of the marketing number on the box. That's fine. It is still better than wifi, since almost anything is better than any RF signaling.

Actually, I could use a MoCA setup with 3 nodes to replace the powerline setup that is almost 10 yrs old now. Too many hobbies being worked right now, so it will need to wait for a trial. MoCA has lots of little issues, so be certain to read up on those in general and for the specific models you consider. Read that 1 of the sets didn't have a factory reset button and certain settings were stuck due to that. That was a few years ago. It should be long fixed. Powerline has issues too, but if it works, it is basically like a slow ethernet bridge and devices don't see it besides the slower connection.

It should be obvious, but we are using existing house wiring for both these non-CAT5e+ connections. If your house isn't wired with COAX or electrical plugs in the desired locations, then that would make using one or both less than useful. My house has COAX to almost every room that isn't a bathroom or closet. Not all the COAX is connected anywhere. The terminal is outside in the demarcation used by the cable company, so I'd need to ensure the different COAX lines for my network are connected to the distribution switch there.

[halogen2]

I was able to work around the error with sudo iptables -L -v by renaming my firewall table to something other than filter , which causes iptables to report an empty firewall (nft still reports all rules). However, virt-manager continues to throw this same error dialog even after the rename and sudo iptables -L -v is working.

Well that was strange. Setting this up on the production host, the nftables table rename does completely solve the problem there, virt-manager is able to use iptables-nft no problem, and the VM can get internet access with NAT network. Thanks The Cog for your advice!

Still wondering about this though? -

the Open network appears to be working as host-only networking, solving one of the 3 issues. How can I prove this network is really isolated to host-only, and not just not configured for available Internet or LAN access?

How does this differ from Isolated network, which description matches the way the Open network appears to function?

• Powerline Networking
• MoCA Networking

...
If your house isn't wired with COAX or electrical plugs in the desired locations, then that would make using one or both less than useful.

No accessible coax cables or extra plugs in this location, but good to know about those options, I was not aware of them. Thanks for the info.

[TheFu]

I'm struggling to understand what the difference is between NAT and bridged if you are going to open ports to the guest. Firewalls can run inside the VM and do any firewalling like a physical host provides. I run my VPN server inside a VM guest to take advantage of this.

If you just want to run 1 network service inside a protected area, perhaps a Linux Container would be a better choice? Containers use 1/10th (or less) the overhead that a full VM uses. If you use Docker, forwarding 1 port into the container is normal. If you use LXC/LXD, you can treat it like a VM, just without a firewall. Containers shouldn't be run with elevated privileges, so they shouldn't be able to run a firewall unless someone screwed up (cough docker). Running a container with privilege sorta defeats 99% of the security that Linux Containers provide by running as nobody users.

[halogen2]

I'm struggling to understand what the difference is between NAT and bridged if you are going to open ports to the guest.

99% of the time I use a guest with open ports, I only want the host and/or specific other guests to be able to access the open ports. It's simpler, and potentially less attack surface, to use a networking setup that "just has" this isolation than to effect it using guest firewall rules.

[halogen2]

If I manually create a bridge interface in nm-connection-editor, don't add any other interfaces to it, and set up VMs with Bridge networking to this interface, can I be sure this is a host-only network? With such bridge, traffic between host and guests is working, as is guest-to-guest traffic, and on the host ip link show master <bridge_interface_name> shows only the vnet interfaces for the VMs.

[TheFu]

I purge network-manager from all my systems, since the bad times around 2012. NM is one of the tools I have no time to bother using.

Bridges aren't for host-only networks.

[halogen2]

Bridges aren't for host-only networks.

Could you please elaborate on this?

Based on attempting to read this (but don't currently have enough networking knowledge to get my head around everything written there), I thought bridges are basically virtual network switches, which could be configured for use for anything a physical network switch could be used for?

What would be the correct/best way to create a host-only network between virt-manager VMs which doesn't need firewall rules to enforce and where libvirt doesn't start a dnsmasq instance?

[TheFu]

Sorry, I don't do host-only networking. I use normal linux bridges which connect bi-directionally A <-----> B. That's what a bridge does. It connects two things usually over a canyon or some sort of water. It is bi-directional. Of course, you can setup blocks on the inbound side, if you like. That would be a firewall, separate from the bridge.

The virtualbox manual, chapter 6 has a good explanation.

[volkswagner]

It seems like running from Wi-Fi card is not contributing to the issue. I’ll add to the other suggestions in case using the LAN port would be better. There are Wi-Fi routers or access points that can bridge the house/company Wi-Fi and provide wired LAN to the laptop’s NIC.


For private/host only networks, can’t you create a virtual bridge per VM to keep networking between host & vm? This may complicate your NAT rules to provide Internet to the VM.