|Hierarchy:||VMmanager KVM ->NETWORKS|
|VMmanager Cloud ->NETWORKS|
Netfilter is a framework provided by Linux that allows various networking-related operations. There are a number щf frameworks for firewall management, such as iptables (manages IPv4 packets), ip6tables (manages IPv6 packets), ebtables (manages ethernet bridges).
How it works
VMmanager uses standard ebtables rules pre-installed by libvirt. Restarting libvirtd will restart all the frameworks for netfilter.
When adding a cluster node, VMmanager creates there the /etc/vmmgr/iptables.rules.d and /etc/vmmgr/ip6tables.rules.d directories and adds thee files with iptables and ip6tables rules into those directories. The files are overwritten when the panel restarts. The rules are uploaded in a certain order which is defined by the first two symbols of the name (00-99). E.g., 123 means that the rule will be handled 23th in succession; _21 means that the system will handle it after 99.
Files have the following names:
- NN - rule weight (rules with less weight are processed first)
- name - any name
The file contains iptables rules that will be executed one by one.
cat /etc/vmmgr/iptables.rules.d/00_prepare.rule # ISPsystem firewall rules -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -F INPUT -F FORWARD
cat /etc/vmmgr/iptables.rules.d/20_vmmgr.rule # ISPsystem firewall rules -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m multiport --dport 111,662,892,1515,2049,32803 -j ACCEPT -A INPUT -p udp -m multiport --dport 662,892,2049,32769 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5900:6900 -j ACCEPT -A INPUT -p tcp -m tcp --dport 15900:16900 -j ACCEPT -A INPUT -p tcp -m tcp --dport 49152:49261 -j ACCEPT
cat /etc/vmmgr/ip6tables.rules.d/00_prepare.rule # ISPsystem firewall rules -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -F INPUT -F FORWARD
Rules for VMmanager Cloud:
cat /etc/vmmgr/iptables.rules.d/30_vmmgr_cloud.rule # ISPsystem firewall rules -A INPUT -p udp -m udp --dport 5404:5405 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21064 -j ACCEPT -A INPUT -p tcp -m tcp --dport 41966:41969 -j ACCEPT -A INPUT -p tcp -m tcp --dport 50006:50009 -j ACCEPT -A INPUT -p udp -m udp --dport 50007 -j ACCEPT
Adding custom rules
To add a rule, navigate to "Cluster settings" --> "Firewall" → Add to add custom rules in VMmanager. You can also add them by creating files manually.
Do not change standard rules, as they can be overwritten after VMmanager updates. The files that the administrator adds manually can be also deleted after reboot.
We can not identify you and respond to your message.