# IPTables VDE and qemu-kvm[SOLVED]

## jserink

Hi All:

i have a bit of a mental block in understanding something that i've got going on my machine.

Ok, my script to setup my VM looks like this:

vde_switch --numports 4 --mod 777 --group users --tap tap0 -x -d

ip addr add dev tap0 192.168.100.1/24 brd 192.168.100.255

ip link set dev tap0 up

echo "1" > /proc/sys/net/ipv4/ip_forward

dnsmasq --log-queries --interface=tap0

I then run this to start my windozeXP VM:

export SDL_VIDEO_X11_DGAMOUSE=0

export QEMU_AUDIO_DRV=alsa

kvm -boot c -hda /home/jserink/VMs/winxp1.img -cdrom /home/jserink/CDs/winxp.iso -m 1512 -usb -net nic,vlan=0,model=virtio,macaddr=52:54:00:00:EE:03 -net vde -localtime -no-quit -vga cirrus -name WorkXP -monitor telnet:127.0.0.1:12999,server,nowait,ipv4 &

/home/jserink/qemu/qgt-2005-03-02-19/host-linux 192.168.100.1 > /dev/null 2>&1 &

Internally, XP is configured for a static IP like this:

eth0 192.168.100.231/24

default route 192.168.100.1

dns 192.168.100.1

Now, I can ping the XP VM and tap0 from my machine and can ping my machine and the tap0 from the VM but from the VM i cannot ping anything beyong the machine. Iptables is off.

I then enter this:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -j ACCEPT

iptables -A INPUT -i tap0 -j ACCEPT

And it all starts to work.......

But, check this out:

jserinki7 linux # /etc/init.d/iptables status

 * status: stopped

Iptables is off. So how do iptables rules get something to work if iptables is off?

I'm really confused on this.

Cheers,

johnLast edited by jserink on Sat Oct 08, 2011 2:02 am; edited 1 time in total

----------

## jormartr

You can start vde manually, like you did, or with the managed way of /etc/init.d/vde start.

If you start it manually, the managed script does not know anything about the process, so it says it is stopped.

The same happens with iptables, with the diference that iptables is not a daemon running.

----------

## jserink

 *jormartr wrote:*   

> You can start vde manually, like you did, or with the managed way of /etc/init.d/vde start.
> 
> If you start it manually, the managed script does not know anything about the process, so it says it is stopped.
> 
> The same happens with iptables, with the diference that iptables is not a daemon running.

 

Ok, that makes sense.

Cheers,

John

----------

## eugen_mihailescu

 *jserink wrote:*   

> 
> 
> I then enter this:
> 
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> ...

 

In fact your iptables is never off, because the firewall is built in your kernel (or could be a module that is already loaded when kernel boot up).

What is off it's just a /etc/init.d/iptables daemon (kind of script which runs in background) that simply load/initialize the filter/nat tables (when you start it) of your firewall with some rules from a predefined script or from a saved version of iptables.

Based on your configuration when you start the /etc/init.d/iptables daemon this will search for a /var/lib/iptables/rules-save file (or somthing like that) and then will run a iptables-restore utilities that will read all the rules saved in the /var/lib/iptables/rules-save and will load to filter/nat tables of your iptables.

Also, the same daemon is configured (by default) in that way such when you stop it it will run a iptables-save utility which drop to /var/lib/iptables/rules-save all firewall rules which exists in nat/filter table of your kernel's firewall.

So, to answer to your question:

when you stopped the iptables daemon in fact you unload all the firewall rules that was loaded when daemon started (perhaps rules defined by you on the fly and saved to disk when daemon is stopped); so that's why your toy wasn't worked anymore with iptables daemon off because there was no rule to help you filter/nat the stuff

later you have added again in kernel firewall the nat/filter rules (see those 3 iptables command above in the quote) so you have instructed the firewall how to do the nat/filtering

/etc/init.d/iptables daemon is just a tool designed to load/unload some rules in your kernel firewall so that your firewall will be not empty-rule (if no rule is defined/loaded firewall ACCEPT everything by default)

I am far from being an expert in firewall/security, I am just a newbie but this is my understanding regarding the Linux iptables/firewall implementation.

----------

