2.5.6. Configuring the firewall
The hypervisor needs to be able to communicate with other hypervisors and the management server needs to be able to reach the hypervisor.
In order to do so we have to open the following TCP ports (if you are using a firewall):
22 (SSH)
1798
16509 (libvirt)
5900 - 6100 (VNC consoles)
49152 - 49216 (libvirt live migration)
It depends on the firewall you are using how to open these ports. Below you'll find examples how to open these ports in RHEL/CentOS and Ubuntu.
2.5.6.1. Open ports in RHEL/CentOS
RHEL and CentOS use iptables for firewalling the system, you can open extra ports by executing the following iptable commands:
iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 1798 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 16509 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 49152:492160 -j ACCEPT
These iptable settings are not persistent accross reboots, we have to save them first.
iptables-save > /etc/sysconfig/iptables
2.5.6.2. Open ports in Ubuntu
The default firewall under Ubuntu is UFW (Uncomplicated FireWall), which is a Python wrapper around iptables.
To open the required ports, execute the following commands:
ufw allow proto tcp from any to any port 22
ufw allow proto tcp from any to any port 1798
ufw allow proto tcp from any to any port 16509
ufw allow proto tcp from any to any port 5900:6100
ufw allow proto tcp from any to any port 49152:492160
By default UFW is not enabled on Ubuntu. Executing these commands with the firewall disabled does not enable the firewall.