-
Language:
English
-
Language:
English
9.4. Configuring Virtualization Host Firewall
Summary
Red Hat Enterprise Virtualization requires that a number of network ports be open to support virtual machines and remote management of the virtualization host from the Red Hat Enterprise Virtualization Manager. You must follow this procedure to open the required network ports before attempting to add the virtualization host to the Manager.
Procedure 9.4. Configuring Virtualization Host Firewall
The following steps configure the default firewall in Red Hat Enterprise Linux,
iptables
, to allow traffic on the required network ports. This procedure replaces the host's existing firewall configuration with one that contains only the ports required by Red Hat Enterprise Virtualization. If you have existing firewall rules with which this configuration must be merged, then you must do so by manually editing the rules defined in the iptables
configuration file, /etc/sysconfig/iptables
.
All commands in this procedure must be run as the
root
user.
Remove existing firewall rules from configuration
Remove any existing firewall rules using the--flush
parameter to theiptables
command.# iptables --flush
Add new firewall rules to configuration
Add the new firewall rules, required by Red Hat Enterprise Virtualization, using the--append
parameter to theiptables
command. The prompt character (#) has been intentionally omitted from this list of commands to allow easy copying of the content to a script file or command prompt.iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables --append INPUT -p icmp -j ACCEPT iptables --append INPUT -i lo -j ACCEPT iptables --append INPUT -p tcp --dport 22 -j ACCEPT iptables --append INPUT -p tcp --dport 16514 -j ACCEPT iptables --append INPUT -p tcp --dport 54321 -j ACCEPT iptables --append INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT iptables --append INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT iptables --append INPUT -j REJECT --reject-with icmp-host-prohibited iptables --append FORWARD -m physdev ! --physdev-is-bridged -j REJECT \ --reject-with icmp-host-prohibited
Note
The providediptables
commands add firewall rules to accept network traffic on a number of ports. These include:- port
22
for SSH, - ports
5634
to6166
for guest console connections, - port
16514
for libvirt virtual machine migration traffic, - ports
49152
to49216
for VDSM virtual machine migration traffic, and - port
54321
for the Red Hat Enterprise Virtualization Manager.
Save the updated firewall configuration
Save the updated firewall configuration script using thesave
to theiptables
initialization script.# service iptables save
Enable iptables service
Ensure that theiptables
service is configured to start on boot and has been restarted, or started for the first time if it was not already running.# chkconfig iptables on # service iptables restart
Result
You have configured the virtualization host's firewall to allow the network traffic required by Red Hat Enterprise Virtualization.