VMmanager 5 KVM: Administrator guide

Firewall configuration

Netfilter is a framework provided by Linux that allows various networking-related operations. There is a number of frameworks for firewall management, such as iptables (manages IPv4 packets), ip6tables (manages IPv6 packets), ebtables (manages ethernet bridges).

How it works

VMmanager uses standard ebtables rules pre-installed by libvirt. Restarting libvirtd will restart all the frameworks for netfilter.

When adding a cluster node, VMmanager creates there the /etc/vmmgr/iptables.rules.d and /etc/vmmgr/ip6tables.rules.d directories and adds thee files with iptables and ip6tables rules into those directories. The files are overwritten when the panel restarts. The rules are uploaded in a certain order which is defined by the first two symbols of the name (00-99). E.g., 123 means that the rule will be handled 23th in succession; _21 means that the system will handle it after 99.

Files have the following names:

NN_name.rule
View details

The file contains iptables rules that will be executed one by one.

Standard rules

cat /etc/vmmgr/iptables.rules.d/00_prepare.rule
# ISPsystem firewall rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-F INPUT
-F FORWARD
cat /etc/vmmgr/iptables.rules.d/20_vmmgr.rule
# ISPsystem firewall rules
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dport 111,662,892,1515,2049,32803 -j ACCEPT 
-A INPUT -p udp -m multiport --dport 662,892,2049,32769 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 5900:6900 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 15900:16900 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 49152:49261 -j ACCEPT
cat /etc/vmmgr/ip6tables.rules.d/00_prepare.rule
# ISPsystem firewall rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-F INPUT
-F FORWARD

Adding rules

To add a rule, navigate to Cluster settings → Firewall → Add to add custom rules in VMmanager. You can also add them by creating files manually.

Note
Do not change or delete the standard rules, as they can be overwritten after VMmanager updates. The files that the administrator adds manually can be also deleted after reboot.