Reputation: 29
How to configure firewall on Centos 7 for KVM Routed Bridge
I want to set up multiple virtual machines to run webserver, postfix, etc.
I have a few public IP-Adresses from my ISP. My host system is running Centos 7 and my virtual machines are running Debian Wheezy. Since my hoster restrict access to the switch based on MAC Address, I cannot use a "full" bridge.
Instead I configured a routed bridge (see http://wiki.hetzner.de/index.php/Proxmox_VE)
I have successfully set up both machines, but the vm cannot connect to the internet if my firewall on my host machine is active. If my firewall is active I can ping machines on the internet from my vm, but nothing else.
How can I configure my firewall under Centos 7 to give the VMs on br0 acces to internet?
Any help is appreciated. Thank you very much.
Network Config Host Machine
Host-Machine: /etc/sysconfig/network-scripts/ifcfg-enp2s0
BOOTPROTO=none
DEVICE=enp2s0
ONBOOT=yes
IPADDR=A.A.A.42
NETMASK=255.255.255.255
SCOPE="peer A.A.A.1"
Host-Machine: /etc/sysconfig/network-scripts/route-enp2s0
ADDRESS0=0.0.0.0
NETMASK0=0.0.0.0
GATEWAY0=A.A.A.1
Host-Machine: /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE="Bridge"
ONBOOT=yes
BOOTPROTO=none
IPADDR=A.A.A.42
NETMASK=255.255.255.255
STP=off
DELAY=0
Host Machine: /etc/sysconfig/network-scripts/route-br0
ADDRESS0=B.B.B.160
NETMASK0=255.255.255.255
Network Config Virtual machine
Virtual machine: /etc/network/interfaces
auto lo
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet static
address B.B.B.160
netmask 255.255.255.255
pointopoint A.A.A.42
gateway A.A.A.42
Firewall settings Host machine firewall-cmd --list-all
public (default, active)
interfaces: br0 enp2s0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
Thank you very much in advance.
Upvotes: 1
Views: 11222
Answers (2)
Reputation: 3026
On CentOS 8 (and probably CentOS 7) with firewalld, there's a much easier way to get all routed bridged KVM virtual machines full unrestricted internet access without dealing with firewall rules.
By default, all interfaces are bound to the public firewall zone.
But there are multiple zones, ie firewall-cmd --list-all-zones of which one is called trusted, which is an unfiltered firewall zone that accepts all packets by default.
So you can just bind the bridge interface to that zone.
firewall-cmd --remove-interface br0 --zone=public --permanent
firewall-cmd --add-interface br0 --zone=trusted --permanent
firewall-cmd --reload
Hope this helps.
Upvotes: 3
Reputation: 161
To accomplish, you have two options.
Option1:(from a security perspective this method is recommended)
Disable netfilter on the configured bridge
# vi /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
Check the values before/after.
# sysctl -p /etc/sysctl.conf
Option2:
Add direct firewall rule
firewall-cmd --direct --add-chain ipv4 filter FORWARD 0 -m physdev --physdev-is-bridged -j ACCEPT
Upvotes: 6
Related Questions
- Docker on CentOS with bridge to LAN network
- firewalld command alternative of iptables -P FORWARD ACCEPT
- Cannot Connect Centos VM to The Internet (Bridge Connection)
- How to enable firewall on Centos 7?
- KVM/Bridge: No Route To Host
- Bridged linux networking and virtualization
- Bridged networking - VMs ping issue
- add rule to firewalld in Centos7 to allow all traffic from a server
- KVM, OVS, bridged network. How to configure?
- Firewall for the container in docker