Using KVM/libvirt in NAT mode to run VM guests needs forwarding to be
enabled in order to redirect host port to vm port. Libvirt add iptables
rules to do it's magic in addition I had to add some more rules like:
iptables -I FORWARD -o virbr0 --proto tcp -m conntrack --ctstate NEW -j
ACCEPT
or
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o
virbr0 -j ACCEPT
This works on the fly but not when firewalld is reload because the rule
goes at the bottom of the FORWARD chain where it's supposed to be at the
top.
This works
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
This doesn't work
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
As it seems there is no way to insert the needed rule at the top even
with -I FORWARD 1 upon firewall-cmd --reload, so what options there are
left to avoid additional work every time firewalld is reloaded?
There are a number of articles on the topic (qemu hook hack etc) but non
of them seems to provide a working solution for this case.
Please advice.