9.4. Configuring Virtualization Host Firewall

Summary

Red Hat Enterprise Virtualization requires that a number of network ports be open to support virtual machines and remote management of the virtualization host from the Red Hat Enterprise Virtualization Manager. You must follow this procedure to open the required network ports before attempting to add the virtualization host to the Manager.

Procedure 9.4. Configuring Virtualization Host Firewall

The following steps configure the default firewall in Red Hat Enterprise Linux, iptables, to allow traffic on the required network ports. This procedure replaces the host's existing firewall configuration with one that contains only the ports required by Red Hat Enterprise Virtualization. If you have existing firewall rules with which this configuration must be merged, then you must do so by manually editing the rules defined in the iptables configuration file, /etc/sysconfig/iptables.
All commands in this procedure must be run as the root user.

  1. Remove existing firewall rules from configuration

    Remove any existing firewall rules using the --flush parameter to the iptables command. 
    # iptables --flush

  2. Add new firewall rules to configuration

    Add the new firewall rules, required by Red Hat Enterprise Virtualization, using the --append parameter to the iptables command. The prompt character (#) has been intentionally omitted from this list of commands to allow easy copying of the content to a script file or command prompt. 
    iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --append INPUT -p icmp -j ACCEPT
iptables --append INPUT -i lo -j ACCEPT
iptables --append INPUT -p tcp --dport 22 -j ACCEPT
iptables --append INPUT -p tcp --dport 16514 -j ACCEPT
iptables --append INPUT -p tcp --dport 54321 -j ACCEPT
iptables --append INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
iptables --append INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
iptables --append INPUT -j REJECT --reject-with icmp-host-prohibited
iptables --append FORWARD -m physdev ! --physdev-is-bridged -j REJECT \
--reject-with icmp-host-prohibited

    Note

    The provided iptables commands add firewall rules to accept network traffic on a number of ports. These include:
    • port 22 for SSH,
    • ports 5634 to 6166 for guest console connections,
    • port 16514 for libvirt virtual machine migration traffic,
    • ports 49152 to 49216 for VDSM virtual machine migration traffic, and
    • port 54321 for the Red Hat Enterprise Virtualization Manager.

  3. Save the updated firewall configuration

    Save the updated firewall configuration script using the save to the iptables initialization script. 
    # service iptables save

  4. Enable iptables service

    Ensure that the iptables service is configured to start on boot and has been restarted, or started for the first time if it was not already running. 
    # chkconfig iptables on
# service iptables restart
Result

You have configured the virtualization host's firewall to allow the network traffic required by Red Hat Enterprise Virtualization.

Report a bug