kvm, iptables for virtual hosts

[Jacques Beigbeder]

Hi All,

I have the following setup:
* an host called HYPERVISOR:
	auto em1
	iface em1 inet manual
	auto br0
	iface br0 inet static
	        bridge_ports em1
		bridge_maxwait
		address A.B.C.D
		...
* a Virtual Machine calles VM1:
	<interface type='bridge'>
	<mac address='52:54:00:54:99:d5'/>
	...
	<model type='virtio'/>
	...
  Say that IP is X.Y.Z.T.

I was used to filter on HYPERVISOR with iptables + FORWARD rules.
	...
	:FORWARD ACCEPT [0:0]
	...
	-A FORWARD -i br0 -d X.Y.Z.T (accept/drop/...)
	-A FORWARD -i br0 -s X.Y.Z.T ACCEPT
	...

Up to HYPERVISOR with Ubuntu 14.04, kernel 3.5.0-51-generic, it worked.
I just installed the last Ubuntu 14.04 server LTS, kernel is 3.19.0-42-generic,
and iptables fail to filter for X.Y.Z.T: every packet is accepted.

I also saw that previously 'iptables -vL' displayed:
	Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source 
	... and a lot of lines with pkts > 0

Now on last Ubuntu 14.04 server LTS, 'iptables -vL' displays:
	0     0 REJECT     all  --  any    any     anywhere             ...
All counters display zero!

What happens now?
Do I have to use ebtables/iptables,
like in https://libvirt.org/firewall.htmlebta?

Is there a tutorial?

Thanks.

--
Jacques Beigbeder                    |  Jacques.Beigbeder at ens.fr
Service de Prestations Informatiques |     http://www.spi.ens.fr
Ecole normale supérieure             |
45 rue d'Ulm                         |Tel : (+33 1)1 44 32 37 96
F75230 Paris cedex 05                |Fax : (+33 1)1 44 32 20 75