Linux firewall issues with bridged network devices and KVM virtualization

Recently, I made some first steps with KVM virtualization. So far, everything went well and as expected. The performance was great and the configuration with tools like "Cockpit" straightforward.

As soon as I tried to run TCP or UDP services inside the machines, I realized that the host firewall blocked everything, that has not been allowed, although I thought that bridged network devices would not interfere with the host's network settings at all.

After fiddling around hours and hours with bridged networks in KVM, I stumbled upon this inconspicuous article about hardcoded kernel module parameters: https://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf

For historical reasons the kernel maintainers refuse to change the default settings that lead to the host's firewall being responsible for guest networks. (See http://patchwork.ozlabs.org/patch/29319/ for additional information.) 

Long story short:

The configuration file "/etc/sysctl.conf" needs to be modified:

  net.bridge.bridge-nf-call-arptables = 0
  net.bridge.bridge-nf-call-ip6tables = 0
  net.bridge.bridge-nf-call-iptables = 0

Afterwards, the command "sysctl -p" needs to be run. As far as I can see, this command is not executed at boot time, so it needs to be put into one of the many boot up scripts depending on the used Linux distribution.

As soon as these parameters are deactivated, the host firewall does not take care of guest traffic anymore.

Problem solved!

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.