| View previous topic :: View next topic |
| Author |
Message |
Wizumwalt
Guru
Joined: 20 Aug 2006
Posts: 547
|
 Posted: Thu Mar 11, 2021 10:12 pm Post subject: host iptables rules for VM to access internet? |
 |
|
I am running a gentoo VM on a gentoo host using QEMU and all is well with exception that, I don't have access to the internet on the VM.
The host machine accesses a VPN client running on a router. The host machine has VPN name servers in /etc/conf.d/net.
I've tried adding the same DNS entries on my VM as on the host to no avail.
Then tried adding the host ip to the VM's conf.d/net. Didn't work.
Also tried adding 8.8.8.8 and 8.8.4.4 to the VM's conf.d/net, no go.
What I do notice is that if I take down the host firewall, it does work. Anyone know what's needed to make this work w/ iptables on the host machine? |
|
| Back to top |
|
 |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Fri Mar 12, 2021 2:55 am Post subject: |
|
|
| That suggests you have configured iptables on the host to block the guest. You should remove those blocks. If you are not sure why it is blocked, start by posting the output of iptables-save -c, as run by root on the host machine. Please show also ip addr ; ip route from the host and the guest and, if it is not obvious from names, tell us which virtual network device on the host is the connection to the VM. Also, please describe how the hypervisor configures the VM's network: TUN/TAP, bridge, user, ...? If unsure, show us the full qemu command line used to run the guest. You can omit any sensitive information there. We just need to see the network device section. |
|
| Back to top |
|
|
Wizumwalt
Guru
Joined: 20 Aug 2006
Posts: 547
|
| Posted: Wed Mar 17, 2021 9:16 pm Post subject: |
|
|
Here is the command I use to start a guest VM which is held inside a bash script ...
| Code: |
qemu-system-x86_64 -netdev tap,id=net0,ifname=tap0,script=no,downscript=no -device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:60 -cpu host -smp 4 -kernel ./kernel-${KVERS} -append "root=/dev/vda console=ttyS0 video-nofb resolution=1024x768" -initrd ~/tools/gentoo-x86_64-initramfs.cpio.gz -m 2G -drive format=raw,file=./gentoo-x86_64-guest_1.img,if=virtio,cache=none -serial stdio --enable-kvm
|
The following is from the host machine.
| Code: |
$ sudo iptables-save -c
# Generated by iptables-save v1.8.5 on Thu Mar 18 20:29:14 2021
*nat
:PREROUTING ACCEPT [278:17000]
:INPUT ACCEPT [2:112]
:OUTPUT ACCEPT [28141:1772183]
:POSTROUTING ACCEPT [1910:114600]
:DOCKER - [0:0]
[13:1575] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[2246753:149613295] -A POSTROUTING -o br0 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Thu Mar 18 20:29:14 2021
# Generated by iptables-save v1.8.5 on Thu Mar 18 20:29:14 2021
*mangle
:PREROUTING ACCEPT [673011756:556748043160]
:INPUT ACCEPT [653854984:537555273373]
:FORWARD ACCEPT [17643148:19019767527]
:OUTPUT ACCEPT [397607996:42506016753]
:POSTROUTING ACCEPT [415034838:61490726197]
COMMIT
# Completed on Thu Mar 18 20:29:14 2021
# Generated by iptables-save v1.8.5 on Thu Mar 18 20:29:14 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [265:15425]
:OUTPUT ACCEPT [36922364:2081196575]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[889832:693203783] -A INPUT -i lo -j ACCEPT
[1298:167283] -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
[559420571:449266348442] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[20:1184] -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
[62:4282] -A INPUT -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
[0:0] -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
[561965:30033407] -A INPUT -j DROP
[265:15425] -A FORWARD -j DOCKER-USER
[265:15425] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[889832:693203783] -A OUTPUT -o lo -j ACCEPT
[330075:27674164] -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[265:15425] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[16996171:18464804573] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Thu Mar 18 20:29:14 2021
|
| Code: | $ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
link/ether 94:de:80:c4:74:b6 brd ff:ff:ff:ff:ff:ff
inet6 fe80::96de:80ff:fcc4:7bc6/64 scope link
valid_lft forever preferred_lft forever
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/sit 0.0.0.0 brd 0.0.0.0
4: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
link/ether 0a:c3:b2:9a:8a:2f brd ff:ff:ff:ff:ff:ff
inet6 fe80::8c3:b2ff:fe9a:8a2f/64 scope link
valid_lft forever preferred_lft forever
5: tap1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
link/ether 32:d8:fa:b0:e7:5b brd ff:ff:ff:ff:ff:ff
inet6 fe80::30d8:faff:feb0:e75b/64 scope link
valid_lft forever preferred_lft forever
6: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 0a:c3:bc:9b:8b:2f brd ff:ff:ff:ff:ff:ff
inet 192.168.10.10/24 brd 192.168.10.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fd9d:93f2:ab6a:0:8b3:b1ff:fe3a:8b2f/64 scope global dynamic mngtmpaddr
valid_lft forever preferred_lft forever
inet6 fe80::8c3:b2cf:fb9a:812f/64 scope link
valid_lft forever preferred_lft forever
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:7c:aa:08:f0 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
|
| Code: |
$ ip route
default via 192.168.10.1 dev br0 metric 6
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.10.0/24 dev br0 proto kernel scope link src 192.168.10.10
|
And the following here is from the guest. Also note, I do not run a firewall on the guest, so no iptables output.
| Code: |
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:12:34:60 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.20/24 brd 192.168.10.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fd9d:93f2:ab6b:0:5044:ff:fe12:3460/64 scope global dynamic mngtmpaddr
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe22:3360/64 scope link
valid_lft forever preferred_lft forever
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/sit 0.0.0.0 brd 0.0.0.0
|
| Code: |
$ ip route
default via 192.168.10.10 dev eth0 metric 2
127.0.0.0/8 via 127.0.0.1 dev lo
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.20
|
Last edited by Wizumwalt on Fri Mar 19, 2021 1:35 am; edited 2 times in total |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Wed Mar 17, 2021 9:29 pm Post subject: |
|
|
| That iptables output seems to show the firewall is already down. You said the guest works when the firewall is down, and fails when it is up. To help you troubleshoot this, we need to see the non-working configuration so we can determine why it does not work. |
|
| Back to top |
|
|
Wizumwalt
Guru
Joined: 20 Aug 2006
Posts: 547
|
| Posted: Fri Mar 19, 2021 1:33 am Post subject: |
|
|
Hu,
Apologies. I did have the firewall down at the time and rushed it. I have replaced the iptables output in the above post. And I've verified that when the firewall is down, I am able to run command like 'git push' to access my git repos. However, when iptables is running on the host, my commands fail, usually with ...
| Code: |
Temporary failure in name resolution
|
|
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Fri Mar 19, 2021 1:49 am Post subject: |
|
|
| You have a default-deny policy on your FORWARD chain. I do not see any rules in FORWARD, or the chains it would delegate to, that would allow your DNS (udp/53) traffic from the guest. If you want traffic to pass from the guest to the Internet, then you need rules to allow the traffic that you want to pass. At a minimum, this is probably DNS and HTTPS. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
