Iptables forward chain policy

English Network/Internet
1

Recently, virtual machines managed with kvm/virt-manager on my machine stopped being able to access the network. I realized that the default policy of the forward chain is set to drop.

myhost:~> sudo iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-BRIDGE
-N DOCKER-CT
-N DOCKER-FORWARD
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-FORWARD
-A DOCKER ! -i docker0 -o docker0 -j DROP
-A DOCKER-BRIDGE -o docker0 -j DOCKER
-A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-FORWARD -j DOCKER-CT
-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
-A DOCKER-FORWARD -j DOCKER-BRIDGE
-A DOCKER-FORWARD -i docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP

I have not actively changed firewall settings on that machine. According to the documentation firewalld does not allow to directly modify this policy rather by setting up policies for zones. On a fresh install of tumbleweed, the default policy is set to ACCEPT.

sudo iptables -P FORWARD ACCEPT

restores network access for virtual machines. I am wondering where the default policy is stored, given that firewalld should not touch it and what the package rules are in how far packages are allowed to change firewall rules.

Thank you in advance.

2

I ran into the same issue last week. Don’t fully understand the issue, but this fixed it:
In /etc/libvirt/network.conf change this line:
firewall_backend = "nftables" to
firewall_backend = "iptables"
and restart the network and the firewall

1 Like
3

Thank you. After switching, iptables output did not change in the first place. I digged a bit further and realized that the virtnetworkd service was neither enabled nor running. After enabling and starting the service iptables now shows the expected output. Looking further into installed packages I realized that I did not have patterns-server-kvm_server installed which is likely to enable the service. KVM seems to run just fine without virtnetworkd when forwarding is enabled but a bug was apparently introduced in nftables as not only does nftables not enable forwarding but does not establish the LIBVIRT_* chains .