I have bridging up and running fine when IPtables is disabled.
The bridge interface has an IP for Dom0 which I need to firewall so I can’t
exclude the whole interface from IPTables.
I added this line to IPTables:
-A RH-Firewall-1-INPUT -m physdev --physdev-in eth1 -j
ACCEPT
It nearly works, the firewall carries on blocking on the
Dom0 IP and allows through connections like RDP to the Windows VMs, outgoing
Traffic from the VMs is generally OK too. The big exception is DNS from within
the VMs, it gets blocked and I don’t understand why, I can go to IP
address websites but not FQDNs, disabling IPtables allows traffic again. Anyone
have any suggestion on fixing this?
My IPTables config:
# Firewall configuration written by
system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i ib0 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m physdev --physdev-in eth1 -j
ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 5900:6000 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with
icmp-host-prohibited
