You’ve decided that you need a modicum of security on your virtualisation host, and you’ve picked ConfigServer firewall as your software of choice.
You’ve installed it, and all the ports have been let through, the host is happy.
Except that now, none of the guests are – their networking is now as dead as a dodo.
The file you need to know about is /etc/csf/csfpost.sh
The second thing you need to realise is that the firewall is set up to be a client firewall – the end-user of packets so to speak. It’s not expecting to be forwarding packets on. But that’s exactly what your host is now doing for the guests.
So. That file. Edit it and add the following, which tells configserver firewall to add the following rules as well as the ones it creates itself:
1 2 3
IPT=/sbin/iptables $IPT -F FORWARD $IPT -P FORWARD ACCEPT
Then, 6 weeks later when you realise that the long pauses when connecting to dual-stack ipv6 hosts are because it’s attempting an ipv6 connection then falling back to ipv4 when that fails.
An additional clue that what I’m describing is the cause of the problem is that a ping6 from the guest will fail with the error: “Destination unreachable: Address unreachable”.
What will actually be happening, if you break out wireshark, is that the neighbor discovery packets are not being answered, so your box can’t find the router it needs to communicate with the outside world.
So, you edit the file again, and you add the following lines:
4 5 6
IPT6=/sbin/ip6tables $IPT6 -F FORWARD $IPT6 -P FORWARD ACCEPT
Tada! That’ll teach you not to think about things up front, won’t it?