CAN you SAFELY edit the libvirt default.xml?
by anton-venko from LinuxQuestions.org on (#5RFQA)
libvirt default.xml
Code:<network>
<name>default</name>
<bridge name="virbr0" />
<forward/>
<ip address="192.168.122.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.122.2" end="192.168.122.254" />
</dhcp>
</ip>
</network>I tried to have this NAT forward through a VPN using tun0 with the following edit of default.xml, but it's not working.
Code: <name>default</name>
<forward dev='tun0' mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
<interface dev='tun0'/>
</forward>
<bridge name='vpn0' stp='on' delay='0'/>
<mac address='52:54:00:c2:05:79'/>
<ip address='10.99.99.254' netmask='255.255.0.0'>
<dhcp>
<range start='10.99.99.10' end='10.99.99.250'/>
</dhcp>
</ip>
</network>Those are the iptable rules automatically created by libvirt, after starting the network.
Code:0 0 ACCEPT all -- tun0 vpn0 0.0.0.0/0 10.99.0.0/16 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- vpn0 tun0 10.99.0.0/16 0.0.0.0/0
0 0 ACCEPT all -- vpn0 vpn0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * vpn0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
15 1244 REJECT all -- vpn0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- eno1 virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 eno1 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableWhat am I missing?
Code:<network>
<name>default</name>
<bridge name="virbr0" />
<forward/>
<ip address="192.168.122.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.122.2" end="192.168.122.254" />
</dhcp>
</ip>
</network>I tried to have this NAT forward through a VPN using tun0 with the following edit of default.xml, but it's not working.
Code: <name>default</name>
<forward dev='tun0' mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
<interface dev='tun0'/>
</forward>
<bridge name='vpn0' stp='on' delay='0'/>
<mac address='52:54:00:c2:05:79'/>
<ip address='10.99.99.254' netmask='255.255.0.0'>
<dhcp>
<range start='10.99.99.10' end='10.99.99.250'/>
</dhcp>
</ip>
</network>Those are the iptable rules automatically created by libvirt, after starting the network.
Code:0 0 ACCEPT all -- tun0 vpn0 0.0.0.0/0 10.99.0.0/16 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- vpn0 tun0 10.99.0.0/16 0.0.0.0/0
0 0 ACCEPT all -- vpn0 vpn0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * vpn0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
15 1244 REJECT all -- vpn0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- eno1 virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 eno1 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableWhat am I missing?