KVM - Libvirt - Firewall lost nat cfgs

English Virtualization
1

KVM - Libvirt - Firewall lost nat cfgs

Everything works fine when I reboot the server, all VMs communicate, have access to the internet via NAT, it is possible to access services in the VMs through the Internet, etc. However, if I need to restart the firewall (rcSuSEfirewall2 restart) everything is lost.

Restarting libvirt, network, etc, does not work again, just restarting the server again.

I have already researched and made it clear that the rules in /etc/sysconfig/SuSEfirewall2 overlap with the rules created by libvirt > ipatables, but I have not yet found a professional way to overcome this problem, since NAT is created by libvirt.

Need help.

Thank you.

2

I tried to compare the output of iptables-save before and after restarting the firewall, the differences are the same expected, creation of NAT, release of NAT IPs, some redirected ports etc. However, if I do:

Iptables-save> file
RcSuSEfirewall2 restart
Iptables-restore -c <file

I do not have the network (NAT) working for the VMs, nothing works. Restarting services associated with the network, and still nothing works. It only works again by restarting the server.

Thank you.

3

First,
I’ve never personally put any faith in behaviors I can’t explain, and in this case if your Guests work fine after a reboot I can’t explain why that would be the case.

For many years and across all virtualization technologies the HostOS firewall has always filtered traffic to Guests if networking is set up in conventional ways. There is typically nothing that would enable traffic to somehow bypass HostOS network filtering unless a forwarding rule is somehow set up to do just that, and that is practically never done (I’m seeing some weird new things along this line in Docker networking, so that could become a unique case). Only way I can think of that might avoid these general principles is if a harddware bypass (NIC) is configured.

So,
My rule of thumb has been to either

  • Configure the HostOS with a fairly open firewall but severely restrict the services running on it. This is the general approach any time you deploy a “Hypervisor only” HostOS, like VMware’s ESXi). In a production environment, I recommend the same for other virtualization like KVM… The HostOS should be a text-only server or at most IceWM, installed with only KVM/libvirt.
  • If you install KVM on a Workstation, the firewalls that can be installed on openSUSE in general filter only inbound traffic, and allow just about anything outbound. For this reason, without any special firewall rules Guests should be able to communicate in any way with remote machines on remote networks, but this does not mean that remote machines will be able to communicate with Services running on your Guests. If you don’t have a very permissive inbound net filtering like I described above, then you will likely need to open ports for those services <both> on your Guest and HostOS.

Lastly,
You should not be invoking services nowadays using the “rc” command, today openSUSE implements the systemd subsystem which implements Unit files as configurations and a universal syntax using the “systemctl” command.
This is important because the Unit file is a kind of master configuration that may also implement your rc command (or something similar) but may also apply other rules, methods and modifications. Bottom line is that your “rc” command may not invoke the correct way today.

eg

systemctl start|stop|restart|status SuSEfirewall2.service

Now, it <would> be interesting if someone who might have one something undocumented but useful were to post some new insight into a special openSUSE configuration…

TSU

4

Hello TSU,
thank you for the text.
In fact the Firewall settings are totally original, and I’ve just added a collection of ports for external access. Unfortunately the server is not unique to host VMs, it also accumulates other functions.
Below I will show the iptables output before and after the ferewall restart, and I will hope that the closer look of some of the readers can point to something that helps avoid the problem:

Before:[INDENT=2]# Generated by iptables-save v1.4.21 on Thu Jul 20 10:25:05 2017[/INDENT]
[INDENT=2]*nat[/INDENT]
[INDENT=2]: PREROUTING ACCEPT [818:79344][/INDENT]
[INDENT=2]: INPUT ACCEPT [169:9967][/INDENT]
[INDENT=2]: OUTPUT ACCEPT [48:3337][/INDENT]
[INDENT=2]: POSTROUTING ACCEPT [106:7792][/INDENT]
[INDENT=2]-A PREROUTING -p tcp -m tcp --dport 50080 -j DNAT --to-destination 10.0.0.100:80[/INDENT]
[INDENT=2]-A PREROUTING -p tcp -m tcp --dport 53389 -j DNAT --to-destination 10.0.0.100:3389[/INDENT]
[INDENT=2]-A PREROUTING -p tcp -m tcp --dport 57081 -j DNAT --to-destination 10.0.0.110:7081[/INDENT]
[INDENT=2]-A POSTROUTING -s 10.0.0.0/24 -d 224.0.0.0/24 -j RETURN[/INDENT]
[INDENT=2]-A POSTROUTING -s 10.0.0.0/24 -d 255.255.255.255/32 -j RETURN[/INDENT]
[INDENT=2]-A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535[/INDENT]
[INDENT=2]-A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535[/INDENT]
[INDENT=2]-A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE[/INDENT]
[INDENT=2]COMMIT[/INDENT]
[INDENT=2]# Completed on Thu Jul 20 10:25:05 2017[/INDENT]
[INDENT=2]# Generated by iptables-save v1.4.21 on Thu Jul 20 10:25:05 2017[/INDENT]
[INDENT=2]*raw[/INDENT]
[INDENT=2]: PREROUTING ACCEPT [29508:12364173][/INDENT]
[INDENT=2]: OUTPUT ACCEPT [23144:9785615][/INDENT]
[INDENT=2]-A PREROUTING -i lo -j CT --notrack[/INDENT]
[INDENT=2]-A OUTPUT -o lo -j CT --notrack[/INDENT]
[INDENT=2]COMMIT[/INDENT]
[INDENT=2]# Completed on Thu Jul 20 10:25:05 2017[/INDENT]
[INDENT=2]# Generated by iptables-save v1.4.21 on Thu Jul 20 10:25:05 2017[/INDENT]
[INDENT=2]*filter[/INDENT]
[INDENT=2]: INPUT DROP [0:0][/INDENT]
[INDENT=2]: FORWARD DROP [0:0][/INDENT]
[INDENT=2]: OUTPUT ACCEPT [22594:9753267][/INDENT]
[INDENT=2]: forward_ext - [0:0][/INDENT]
[INDENT=2]: input_ext - [0:0][/INDENT]
[INDENT=2]: reject_func - [0:0][/INDENT]
[INDENT=2]-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT[/INDENT]
[INDENT=2]-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT[/INDENT]
[INDENT=2]-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT[/INDENT]
[INDENT=2]-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT[/INDENT]
[INDENT=2]-A INPUT -i lo -j ACCEPT[/INDENT]
[INDENT=2]-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT[/INDENT]
[INDENT=2]-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT[/INDENT]
[INDENT=2]-A INPUT -j input_ext[/INDENT]
[INDENT=2]-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A INPUT -j DROP[/INDENT]
[INDENT=2]-A FORWARD -d 10.0.0.100/32 -o virbr0 -j ACCEPT[/INDENT]
[INDENT=2]-A FORWARD -d 10.0.0.110/32 -o virbr0 -j ACCEPT[/INDENT]
[INDENT=2]-A FORWARD -d 10.0.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT[/INDENT]
[INDENT=2]-A FORWARD -s 10.0.0.0/24 -i virbr0 -j ACCEPT[/INDENT]
[INDENT=2]-A FORWARD -i virbr0 -o virbr0 -j ACCEPT[/INDENT]
[INDENT=2]-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable[/INDENT]
[INDENT=2]-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable[/INDENT]
[INDENT=2]-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT[/INDENT]
[INDENT=2]-A OUTPUT -o lo -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -m pkttype --pkt-type broadcast -j DROP[/INDENT]
[INDENT=2]-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 53389 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 53389 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 50080 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 50080 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 80 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 443 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 21 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 7777 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 7777 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 9999 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 9306 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 9306 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 9080 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 9080 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 9143 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 9143 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 28143 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 28143 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 18143 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 18143 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8099 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 8099 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 80 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8280 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 8280 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 4406 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 4406 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 139 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 139 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5900:5901 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 5900:5901 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 3306 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 3406 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 3406 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 8080 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 20 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 20 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 21 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 30000:30100 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 30000:30100 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 2199 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 2199 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 40050:40060 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 40050:40060 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5580 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 5580 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5506 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 5506 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 4080 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 4080 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8443 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 8443 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 20579 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 20579 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 3651 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 3651 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 50088 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 50088 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 57081 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 57081 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -m pkttype ! --pkt-type unicast -j DROP[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -j DROP[/INDENT]
[INDENT=2]-A reject_func -p tcp -j REJECT --reject-with tcp-reset[/INDENT]
[INDENT=2]-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable[/INDENT]
[INDENT=2]-A reject_func -j REJECT --reject-with icmp-proto-unreachable[/INDENT]
[INDENT=2]COMMIT[/INDENT]
[INDENT=2]# Completed on Thu Jul 20 10:25:05 2017[/INDENT]

The “after” part follows in the next post.

Thank you very much.

5

**After part:

After:**[INDENT=2]# Generated by iptables-save v1.4.21 on Thu Jul 20 10:30:58 2017[/INDENT]
[INDENT=2]*nat[/INDENT]
[INDENT=2]: PREROUTING ACCEPT [14:758][/INDENT]
[INDENT=2]: INPUT ACCEPT [7:364][/INDENT]
[INDENT=2]: OUTPUT ACCEPT [0:0][/INDENT]
[INDENT=2]: POSTROUTING ACCEPT [0:0][/INDENT]
[INDENT=2]COMMIT[/INDENT]
[INDENT=2]# Completed on Thu Jul 20 10:30:58 2017[/INDENT]
[INDENT=2]# Generated by iptables-save v1.4.21 on Thu Jul 20 10:30:58 2017[/INDENT]
[INDENT=2]*raw[/INDENT]
[INDENT=2]: PREROUTING ACCEPT [205:22327][/INDENT]
[INDENT=2]: OUTPUT ACCEPT [135:37383][/INDENT]
[INDENT=2]-A PREROUTING -i lo -j CT --notrack[/INDENT]
[INDENT=2]-A OUTPUT -o lo -j CT --notrack[/INDENT]
[INDENT=2]COMMIT[/INDENT]
[INDENT=2]# Completed on Thu Jul 20 10:30:58 2017[/INDENT]
[INDENT=2]# Generated by iptables-save v1.4.21 on Thu Jul 20 10:30:58 2017[/INDENT]
[INDENT=2]*filter[/INDENT]
[INDENT=2]: INPUT DROP [0:0][/INDENT]
[INDENT=2]: FORWARD DROP [0:0][/INDENT]
[INDENT=2]: OUTPUT ACCEPT [135:37383][/INDENT]
[INDENT=2]: forward_ext - [0:0][/INDENT]
[INDENT=2]: input_ext - [0:0][/INDENT]
[INDENT=2]: reject_func - [0:0][/INDENT]
[INDENT=2]-A INPUT -i lo -j ACCEPT[/INDENT]
[INDENT=2]-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT[/INDENT]
[INDENT=2]-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT[/INDENT]
[INDENT=2]-A INPUT -j input_ext[/INDENT]
[INDENT=2]-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A INPUT -j DROP[/INDENT]
[INDENT=2]-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT[/INDENT]
[INDENT=2]-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A OUTPUT -o lo -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -m pkttype --pkt-type broadcast -j DROP[/INDENT]
[INDENT=2]-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 53389 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 53389 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 50080 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 50080 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 80 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 443 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 21 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 7777 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 7777 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 9999 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 9306 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 9306 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 9080 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 9080 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 9143 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 9143 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 28143 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 28143 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 18143 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 18143 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8099 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 8099 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 80 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8280 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 8280 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 4406 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 4406 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 139 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 139 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5900:5901 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 5900:5901 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 3306 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 3406 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 3406 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8080 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 8080 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 20 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 20 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 21 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 30000:30100 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 30000:30100 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 2199 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 2199 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 40050:40060 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 40050:40060 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5580 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 5580 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5506 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 5506 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 4080 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 4080 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 8443 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 8443 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 20579 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 20579 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 3651 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 3651 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 50088 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 50088 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 57081 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 57081 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT[/INDENT]
[INDENT=2]-A input_ext -m pkttype ! --pkt-type unicast -j DROP[/INDENT]
[INDENT=2]-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options[/INDENT]
[INDENT=2]-A input_ext -j DROP[/INDENT]
[INDENT=2]-A reject_func -p tcp -j REJECT --reject-with tcp-reset[/INDENT]
[INDENT=2]-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable[/INDENT]
[INDENT=2]-A reject_func -j REJECT --reject-with icmp-proto-unreachable[/INDENT]
[INDENT=2]COMMIT[/INDENT]
[INDENT=2]# Completed on Thu Jul 20 10:30:58 2017
[/INDENT]

Thank you very much.

6

First, let me comment and congratulate you on looking into this which I’ve never felt was economically practical to me.
Only thing I might say is that I notice only one rule for your bridging device (physdev) which I haven’t used before, and lack of forwarding rules (which might be fine. I also notice what appears to be port forwarding rules which may be part of how you are implementing).

Let me describe what I did years ago…
As I described, my SOP is to not configure firewall rules on the HostOS(relying more on hardening and minimizing attack surface), or at least nothing that’s more than might be necessary and to be very permissive with filtering rules.
I instead prefer to place a dedicated firewall in front of my internal networks, and this can be either a physical device (which should be a very clear and easy to understand topology) or configure a multi-home Guest as my dedicated firewall.

This dedicated Firewall Guest would be the only machine connecting to the bridging device bound to the external interface of the HostOS.
To further secure this configuration, the external interface can also be denied access to the HostOS, leaving the Guest as the only OS/machine with access to external networks. AFAICS this makes it impossible for remote hackers to access the HostOS, everything must first pass through the Firewall Guest.

The HostOS would also be configured with a virtual network for the Private Network (or, depending on desired topology a kind of DMZ used only by the Servers). The Firewall Guest of course would also be connected to this virtual network, the result is that the Firewall Guest is configured in a very ordinary way as a Critical Node Internet Gateway for the Private Network. No special or unusual rules are required, and no special configurations for bridging devices are implemented.

Of course the described Private Network is not restricted to Guests using the same virtual network on the same machine.
Other remote Hosts on different physical machines connected to the HostOS only need to be configured with the same NetworkID to be on the same network. And, for this reason Guest virtual machines can provide essential network services like DNS, DHCP, Network authentication, etc.

The configuration I’ve just described depends heavily on the virtualization technology being absolutely secure and impervious to attacks, but otherwise to my eye it’s completely secure and is based on easy to understand methods and implement common networking design and practice. If you don’t want to rely so heavily on virtualization security, then you can place a physical firewall in front of everything. Perhaps most importantly, because what I describe doesn’t require anything unusual, there is a less likely a chance of making a security mistake.

IMO,
TSU

7

Hello TSU,
All your comments are most welcome.
The server in question is remote, rented from a data center, I can not implement anything physical, I do not need to improve security, that’s not the point.
All I need is to be able to restart the OpenSuse firewall service without destroying the rules created by Libvirt, or if this is not possible, I can recreate them afterwards through some command, script etc. without having to restart the server, Which is drastic and undesirable.

Thank you very much.

8

For starters recommend inspecting your SuSEfirewall2 Unit file to see if it’s doing anything more than simply starting the service without any options.

Beyond that, it’s hard to say what is happening in your system.
You might also try restarting your networking (on your HostOS) with something like

systemctl restart network.service

In fact, it’s likely your original method of restarting various services were similarly faulty and should be tried again using the “systemctl” command.

Otherwise, you might want to try to verify the specific rules that are blocking.
If you Google “iptables debugging”
Two results jump out as most informative. Both describe using TRACE but describe other methods as well

http://adminberlin.de/iptables-debugging/

TSU