→Creating Customized Chains
#* '''Note:''' Use '''--jump''' or '''-j''' (<u>not</u> -g or --goto) to move to a target.
# Add a rule to your '''MYSSH''' chain to accept all traffic on your virtual interface from '''192.168.X.0/24''' (i.e. your internal network).
# Add a rule to the '''end of the MYSSH chain''' to drop all remaining '''ssh''' connections, but to log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH" before doing so.
#Remove the rule in your '''INPUT''' chain that was allowing all '''ssh''' traffic.
# Find the '''IP ADDRESS''' and '''MAC address''' of your Windows machine's '''internal facing interface''' (should be an internal address beginning with '''192.168.40.x''') .
# Add a rule to your '''MYICMP''' chain that allows '''ICMP''' packets coming in from '''192.168.X.0/24''' (i.e. your internal network).
# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with MAC address of your Windows machine.# Insert a rule to the '''beginning of your MYICMP chain''' that denies '''ICMP pings''' originating with IP address of your Windows machine.
# Issue '''iptables -L -v''' to view your firewall rules for your newly-created chains.
# Attempt to connect to your machine using the external facing address to ensure your rules are working.<br />You should not be able to connect from your windows machine, and the counters in iptables should show that packets are being caught in your MYICMP and MYSSH chains.<br><br>'''NOTE:''' Your system logs (such as: '''/var/log/messages''' or in the case (using a customized chains) the command: '''journalctl --dmesg | grep MYSSH''' should also show your failed attempts to '''ssh''' to you with your '''customized''' message.
# When you are confident the rules are working, save them by running ('''Note''' ''that this should not include the rules from the virtual network. They will always be added automatically when libvirtd starts.'') <source>iptables-save > /etc/sysconfig/iptables</source
# Now start libvirtd again, and test that your firewall still allows the VMs to connect to the host and each other (ping and ssh). Do not continue until it works.