8.5. Configuring the Virtualization Host Firewall

Summary
Red Hat Enterprise Virtualization requires a number of network ports to be open to support virtual machines and remote management of the virtualization host from the Red Hat Enterprise Virtualization Manager. You must follow this procedure to open the required network ports before attempting to add the virtualization host to the Manager.
The steps in the following procedure configure the default firewall in Red Hat Enterprise Linux, iptables, to allow traffic on the required network ports. This procedure replaces the host's existing firewall configuration with one that contains only the ports required by Red Hat Enterprise Virtualization. If you have existing firewall rules with which this configuration must be merged, then you must do so by manually editing the rules defined in the iptables configuration file, /etc/sysconfig/iptables.
All commands in this procedure must be run as the root user.

Procedure 8.3. Configuring the Virtualization Host Firewall

  1. Remove existing rules from the firewall configuration

    Remove any existing firewall rules using the --flush parameter to the iptables command. 
    # iptables --flush

  2. Add new firewall rules to configuration

    Add the firewall rules required by Red Hat Enterprise Virtualization using the --append parameter to the iptables command. The prompt character (#) has been intentionally omitted from this list of commands to allow easy copying of the content to a script file or command prompt. 
    iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --append INPUT -p icmp -j ACCEPT
iptables --append INPUT -i lo -j ACCEPT
iptables --append INPUT -p tcp --dport 22 -j ACCEPT
iptables --append INPUT -p tcp --dport 16514 -j ACCEPT
iptables --append INPUT -p tcp --dport 54321 -j ACCEPT
iptables --append INPUT -p tcp -m multiport --dports 5900:6923 -j ACCEPT
iptables --append INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
iptables --append INPUT -j REJECT --reject-with icmp-host-prohibited
iptables --append FORWARD -m physdev ! --physdev-is-bridged -j REJECT \
--reject-with icmp-host-prohibited

    Note

    The provided iptables commands add firewall rules to accept network traffic on a number of ports. These include:
    • Port 22 for SSH.
    • Ports 5900 to 6923 for guest console connections.
    • Port 16514 for libvirt virtual machine migration traffic.
    • Ports 49152 to 49216 for VDSM virtual machine migration traffic.
    • Port 54321 for the Red Hat Enterprise Virtualization Manager.

  3. Save the updated firewall configuration

    Run the following command to save the updated firewall configuration: 
    # service iptables save

  4. Enable iptables service

    Ensure the iptables service is configured to start on boot and has been restarted, or is started for the first time if it was not already running. 
    # chkconfig iptables on
# service iptables restart
Result
You have configured the virtualization host's firewall to allow the network traffic required by Red Hat Enterprise Virtualization.