Skip to content

Instantly share code, notes, and snippets.

@dipankardas011

dipankardas011/resolve-virtmanager-network.md

Last active October 19, 2025 16:11
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dipankardas011/3df327767e5fc057de05561a24099615 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dipankardas011/3df327767e5fc057de05561a24099615 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
resolve-virtmanager-network.md

Final Documentation: Enabling VM Internet on a Host with Docker

Objective

To provide persistent internet connectivity to libvirt virtual machines on a host system where Docker's firewall rules are active. This configuration resolves the conflict where Docker's FORWARD DROP policy blocks VM traffic.

The solution consists of two essential parts:

  1. Packet Forwarding: Creating high-priority firewall rules to explicitly allow traffic from the VM network (virbr0) to pass through the host's firewall.
  2. Network Address Translation (NAT): Enabling masquerading on the libvirt firewall zone so that the VM's private IP address is translated to the host's IP address for communication with the internet.

Required Commands

Execute the following commands on the host machine.

Step 1: Enable Packet Forwarding for the VM Network

These firewalld direct rules inject iptables-style rules at the top of the FORWARD chain, ensuring they are processed before Docker's restrictive rules.

# Allow new traffic originating FROM the VM network ('virbr0') to be forwarded.
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i virbr0 -j ACCEPT

# Allow return traffic TO the VM network for established connections.
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Step 2: Enable Network Address Translation (NAT)

This command enables masquerading for the libvirt zone, which is the standard mechanism for performing NAT.

# Enable Network Address Translation (NAT) for the libvirt zone.
sudo firewall-cmd --permanent --zone=libvirt --add-masquerade

Step 3: Apply Firewall Changes

The rules above are saved to the permanent configuration but are not yet active. This command reloads the firewall to apply all changes to the live configuration.

# Apply all permanent changes to the live firewall.
sudo firewall-cmd --reload

Verification

After running the commands, you can verify that the configuration is correct.

1. Check the Forwarding Rules: The ACCEPT rules for virbr0 should appear at the top of the FORWARD chain.

sudo iptables -L FORWARD -n --line-numbers

2. Check the Masquerade Rule: This command should return yes.

sudo firewall-cmd --zone=libvirt --query-masquerade

3. Test Connectivity: Restart your virtual machine, log in, and test the internet connection.

ping 8.8.8.8

This set of commands provides a robust and permanent solution, allowing both Docker and virt-manager to function correctly without interfering with each other.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment