oVirt host – iptables

When you add a new host to your oVirt Engine, your iptables rules are overwritten by oVirt deploy. The new rules might not meet your needs. But you can change this.

oVirt 3.4

Using engine-config command in Engine host, get the default rules:

sudo engine-config -g IPTablesConfig
 IPTablesConfig:
 # oVirt default firewall configuration. Automatically generated by vdsm bootstrap script.
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -i lo -j ACCEPT
 # vdsm
 -A INPUT -p tcp --dport @VDSM_PORT@ -j ACCEPT
 # SSH
 -A INPUT -p tcp --dport @SSH_PORT@ -j ACCEPT
 # snmp
 -A INPUT -p udp --dport 161 -j ACCEPT

@CUSTOM_RULES@

# Reject any other input traffic
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
 COMMIT

To set new rules, copy the lines returned above and add your rules just after @CUSTOM_RULES@, for example:

sudo engine-config -s IPTablesConfig="
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -i lo -j ACCEPT
 # vdsm
 -A INPUT -p tcp --dport @VDSM_PORT@ -j ACCEPT
 # SSH
 -A INPUT -p tcp --dport @SSH_PORT@ -j ACCEPT
 # snmp
 -A INPUT -p udp --dport 161 -j ACCEPT

@CUSTOM_RULES@
 -A INPUT -m comment --comment 'new rule '-j LOG --log-prefix='new rule '

# Reject any other input traffic
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
 COMMIT"

oVirt 3.5

New version has a proper variable for this. Follow the example:

sudo engine-config --set IPTablesConfigSiteCustom="
-A INPUT -m comment --comment 'new rule '-j LOG --log-prefix='new rule '
"

That new rule will be set in place of @CUSTOM_RULES@.