A.2. Virtualization Host Firewall Requirements

⁠A.2. Virtualization Host Firewall Requirements

Both Red Hat Enterprise Linux hosts and Red Hat Enterprise Virtualization Hypervisors require that a number of ports be opened to allow network traffic through the system's firewall. In the case of the Red Hat Enterprise Virtualization Hypervisor these firewall rules are configured automatically. For Red Hat Enterprise Linux hosts however it is necessary to manually configure the firewall.

⁠

Table A.2. Virtualization Host Firewall Requirements

Port(s)	Protocol	Source	Destination	Purpose
22	TCP	Red Hat Enterprise Virtualization Manager	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Enterprise Linux host(s)	Secure Shell (SSH) access.
5900 - 6411	TCP	Administration Portal clients User Portal clients	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Enterprise Linux host(s)	Remote guest console access via VNC and SPICE. These ports must be open to facilitate client access to virtual machines.
5989	TCP, UDP	Common Information Model Object Manager (CIMOM)	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Enterprise Linux host(s)	Used by Common Information Model Object Managers (CIMOM) to monitor virtual machines running on the virtualization host. If you wish to use a CIMOM to monitor the virtual machines in your virtualization environment then you must ensure that this port is open.
16514	TCP	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Enterprise Linux host(s)	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Enterprise Linux host(s)	Virtual machine migration using `libvirt`.
49152 - 49216	TCP	Red Hat Enterprise Linux Hypervisor(s) Red Hat Enterprise Linux host(s)	Red Hat Enterprise Linux Hypervisor(s) Red Hat Enterprise Linux host(s)	Virtual machine migration and fencing using VDSM. These ports must be open facilitate both automated and manually initiated migration of virtual machines.
54321	TCP	Red Hat Enterprise Virtualization Manager Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Enterprise Linux host(s)	Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Enterprise Linux host(s)	VDSM communications with the Manager and other virtualization hosts.

⁠

Example A.1. Option Name: IPTablesConfig

Recommended (default) values: Automatically generated by vdsm bootstrap script

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# vdsm
-A INPUT -p tcp --dport 54321 -j ACCEPT
# libvirt tls
-A INPUT -p tcp --dport 16514 -j ACCEPT
# SSH
-A INPUT -p tcp --dport 22 -j ACCEPT
# guest consoles
-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
# migration
-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
# snmp
-A INPUT -p udp --dport 161 -j ACCEPT
# Reject any other input traffic
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
COMMIT

Report a bug