3

I do not want ip forwarding enabled for all my interfaces (I'm using Snort inline from this host and the IPS interfaces must not forward). I need ip forwarding enabled for for my KVM guests behind the default NAT interface.

I added the following to /etc/rc.local

# default I know, Just in case...
sysctl net.ipv4.ip_forward=0
# enable forwarding for KVM guests
echo 1 > /proc/sys/net/ipv4/conf/virbr0-nic/forwarding
echo 1 > /proc/sys/net/ipv4/conf/virbr0/forwarding
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding

This seems to work. I'm just checking to see if there a better way to do this?

With out adding the last 3 lines in /etc/rc.local my KVM guests behind the default NAT interface can not get to the Internet.

insecure-IT
  • 141
  • 2
    If you are using libvirt then it automatically adds the correct firewall rules to prevent forwarding between inappropriate interfaces and you don't have to worry about this. – Michael Hampton Jul 09 '14 at 17:53
  • Edited the post, maybe this will clear up what I'm trying to do, and why. – insecure-IT Jul 09 '14 at 17:58

1 Answers1

2

What you have described is the following in your sysctl.conf file

net.ipv4.ip_forward=0
net.ipv4.conf.eth0.forwarding=1
net.ipv4.conf.virbr0.forwarding=1 
net.ipv4.conf.virbr0-nic.forwarding=1

Per Michael Hampton's response, libvirt should do that for you if the network is setup as a nat one. Libvirt would typically also add firewall rules.

Timothy c
  • 396