[virt-tools-list] iptables rate limiting for bridged connection (kvm created bridge)
Phil Meyer
pmeyer at themeyerfarm.com
Wed Oct 27 17:21:01 UTC 2010
On 10/27/2010 09:20 AM, Tapas Mishra wrote:
> I have a KVM host set up with 4 VMs running on top of it (the server
> has 4 lan cards and only one is currently active)
> in ifconfig -a
> I see vnet0,vnet1,vnet2,vnet2
>
> 1) What are these vnet0,vnet1,vnet2,vnet2 which I see I used
> kvm and virt-manager to create a bridged setup.
> virt-manager created four interfaces all in same bridge or one bridge
> as vmnet1 and rest VMs are using this.
>
> 2) When limiting rate of incoming connections what should I specify
> interface in place of eth0 following rule definitely will not work
>
> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m
> recent --update --seconds 90 --hitcount 5 --name DEFAULT --rsource -j
> DROP
Create bridges for the other interfaces and simply assign them to VMs.
When dealing with bridges it important to remember that the
/etc/sysconfig/network-scripts/ifcfg-* files are executed in
alphabetical order.
That means that br0 will try to come up before eth0 which can break
things. :)
For bridges that want to add an already working interface, the bridge
needs to be created after the interface comes up.
We usually create ifcfg-zbr0 with br0 defined inside it. That way eth0
comes up and then gets added to the new bridge br0.
Like this:
# cat ifcfg-zbr0
DEVICE=br0
ONBOOT=yes
TYPE=BRIDGE
BOOTPROTO=none
Interfaces that only host VM connections, do not need to have an IP
assigned.
Here is an eth1 dedicated to VM(s).
# cat ifcfg-eth1
DEVICE=eth1
BOOTPROTO=static
TYPE=Ethernet
BRIDGE=br1
ONBOOT=yes
and the bridge:
# cat ifcfg-zbr1
DEVICE=br1
ONBOOT=yes
TYPE=BRIDGE
BOOTPROTO=none
Good Luck!
More information about the virt-tools-list
mailing list