Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] kvm guest prob w/internet
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
nordic bro
Guru
Guru


Joined: 25 Oct 2003
Posts: 582

PostPosted: Mon Sep 05, 2011 7:21 pm    Post subject: [solved] kvm guest prob w/internet Reply with quote

let me know what I should include by way of info, aren't really sure.

I have an xp/sp1 guest running in kvm and used this guide for most of the networking setup: http://en.gentoo-wiki.com/wiki/KVM including his kvm startup script.

I use shorewall 3 but tried 4, same problem. originally I was sending all bridge traffic to netfilter then read something saying not to do that so now skip it. so afaik shorewall isn't a factor here anymore (?)

everything from host wrt internet, etc., works fine, always has. the trouble is now that I have nfs working in the xp guest, web browsers can't see any sites ("server not found").

what happens is:

a) I boot host, shorewall and kvm, etc. are started.

b) run xp guest, nfs works but internet doesn't.

c) stop shorewall, "shorewall clear" and internet still doesn't work from guest.

but if I stop kvm script (contents below) then '/etc/init.d/net.eth0 restart' and '/etc/init.d/kvm start', now xp guest has nfs working and ffox can connect to sites.

d) if I restart shorewall, not unexpectedly guest ffox no longer works (but nfs continues to if it matters).

if I stop shorewall again and do "shorewall clear", guest ffox still can't work.

e) in that state if I again restart eth0 and kvm script, guest nfs and internet work again.

this is how I start the kvm instance:

Code:
kvm -name xp_pt3 -net nic,macaddr=00:00:00:00:00:22 -net tap,ifname=tap0,script=no,downscript=no gentoo-i386.img -usb -usbdevice tablet -boot c

ifconfig:

Code:
br0       Link encap:Ethernet  HWaddr 8a:97:bb:10:12:5e 
          inet addr:192.168.100.254  Bcast:192.168.100.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:74 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:8143 (7.9 KiB)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr 00:19:db:22:5e:e4 
          inet addr:192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1576829 errors:0 dropped:0 overruns:0 frame:0
          TX packets:804563 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2188251979 (2.0 GiB)  TX bytes:55669750 (53.0 MiB)
          Interrupt:45 Base address:0xe000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:394134 errors:0 dropped:0 overruns:0 frame:0
          TX packets:394134 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2089381129 (1.9 GiB)  TX bytes:2089381129 (1.9 GiB)

tap0      Link encap:Ethernet  HWaddr 8a:97:bb:10:12:5e 
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:77 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:9704 (9.4 KiB)  TX bytes:92 (92.0 B)

tap1      Link encap:Ethernet  HWaddr 9a:ca:38:8d:c8:8e 
          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

resolv.conf:

Code:
# Generated by net-scripts for interface eth0
domain example.com
search example.com
nameserver 192.168.1.1

conf.d/net:

Code:
bridge_br0="tap0 tap1"
brctl_br0="setfd 0 sethello 0 stp off"
#rc_need_br0="net.tap0 net.tap1"
RC_NEED_br0="net.tap0 net.tap1"
config_eth0=( "192.168.1.254 netmask 255.255.255.0 broadcast 192.168.1.255" )
routes_eth0="default via 192.168.1.1"
dns_domain_eth0="example.com"
dns_servers_eth0="192.168.1.1"
dns_search_eth0="example.com"

config_br0="192.168.100.254/24"

config_tap0="null"
tuntap_tap0="tap"
tunctl_tap0="-u mike"
mac_tap0="00:00:00:00:00:00"

config_tap1="null"
tuntap_tap1="tap"
tunctl_tap1="-u mike"
mac_tap1="00:00:00:00:00:01"

/etc/init.d/kvm script from above gentoo how-to (I took out msgs and whatnot for brevity; also I use modules so put the 'echo "0" > ...*tables' in there rather than sysctl.conf):

Code:
#NUM_OF_DEVICES=5
NUM_OF_DEVICES=2
#USERID="<your_user>"
USERID="mike"

depend() {
        need net
}

start() {
        /sbin/modprobe kvm
        /sbin/modprobe kvm_intel
        /sbin/modprobe tun
        /sbin/brctl addbr br0
        /sbin/ifconfig br0 192.168.100.254 netmask 255.255.255.0 up
        for ((i=0; i < NUM_OF_DEVICES; i++)); do
                /usr/bin/tunctl -b -u $USERID -t tap$i >/dev/null
                /sbin/brctl addif br0 tap$i
                /sbin/ifconfig tap$i up 0.0.0.0 promisc
        done
        echo "1" > /proc/sys/net/ipv4/ip_forward
        iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
        echo "0" > /proc/sys/net/bridge/bridge-nf-call-arptables
        echo "0" > /proc/sys/net/bridge/bridge-nf-call-iptables
        echo "0" > /proc/sys/net/bridge/bridge-nf-call-ip6tables
        eend 0
}

stop() {
        for ((i=0; i < NUM_OF_DEVICES; i++)); do
                /sbin/ifconfig tap$i down
                /sbin/brctl delif br0 tap$i
                /usr/bin/tunctl -d tap$i >/dev/null
        done
        /sbin/ifconfig br0 down
        /sbin/brctl delbr br0
        /sbin/modprobe -r tun
        /sbin/modprobe -r kvm_intel
        /sbin/modprobe -r kvm
        echo "0" > /proc/sys/net/ipv4/ip_forward
        iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
        eend 0
}

restart() {
        stop
        start
}

my xp network props are:

ip addr: 192.168.100.1
mask: 255.255.255.0
default gw: 192.168.100.254

dns: 192.168.1.1 (my router)

also this is kernel.org 3.0.3 if it matters.

thanks.


Last edited by nordic bro on Mon Sep 19, 2011 5:40 pm; edited 3 times in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14281

PostPosted: Mon Sep 05, 2011 9:54 pm    Post subject: Reply with quote

Do you want the guest to be bridged or NAT'd? You have elements of each, which is probably not good. Pick one or the other and then we can help you write a configuration using just that method.
Back to top
View user's profile Send private message
nordic bro
Guru
Guru


Joined: 25 Oct 2003
Posts: 582

PostPosted: Mon Sep 05, 2011 10:13 pm    Post subject: Reply with quote

Quote:
Do you want the guest to be bridged or NAT'd?

thanks, tbh I don't really know (much of this is new to me and have been thrashing about w/endless changes over the past few days which may explain the mixture).

what I was hoping to achieve initially was:

a) the kvm guest to be hidden from the outside world;

b) the guest to have to go through my host firewall just in case I get some kind of malware that's either trying to spread outside my local network or reporting back to the infector.

I do have a router firewall which came with my fios service but I really don't know how well that works or know anything about configuring it to be better if necessary.

so I have shorewall running in addition which I can at least look at documentation and do something there I may not know how to do with the router firewall.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14281

PostPosted: Tue Sep 06, 2011 12:06 am    Post subject: Reply with quote

It sounds like you want a NAT configuration for the guest. Drop all references to br0. Use eth0 as your interface to the outside world. Configure your tap device with a private address on a different subnet from your main LAN. Place your guest on that same subnet. For simplicity, you can static configure the guest for now.
Back to top
View user's profile Send private message
nordic bro
Guru
Guru


Joined: 25 Oct 2003
Posts: 582

PostPosted: Sat Sep 10, 2011 12:06 am    Post subject: Reply with quote

k, know I'm doing something wrong but can't identify what so seem to be going in circles :) the two problems I'm having are:

1. after reboot and shorewall running (r4.4.15.1) my guest can't see internet but nfs works

2a. with shorewall stop/clear, guest can use nfs but not see internet

2b. if I then restart net.eth0 both nfs/guest internet work

2c. if I start shorewall again, no guest internet but nfs still works

shorewall interfaces:

Code:
net   eth0      detect      routefilter,tcpflags,dhcp
#loc   interior
# that's what I ordinary use but also tried this:
loc   tap0      detect

shorewall rules:

Code:
SECTION NEW
DROP      net      fw     icmp     8
DROP      net      fw     tcp      113,135
ACCEPT    fw       loc    tcp      5432
ACCEPT    loc      fw     tcp      5432

shorewall policy:

Code:
loc      fw   ACCEPT
fw              net     ACCEPT
net      all   DROP
all      all   REJECT

shorewall zones:

Code:
fw   firewall
net   ipv4
loc   ipv4

shorewall conf is stock and many lines so let me know if I should include it.

to create tap0 I did this:

Code:
modprobe tun
tunctl -u mike
ip addr add 192.168.100.254/24 dev tap0
ip link set tap0 up
sysctl net.ipv4.ip_forward=1
route add -host 192.168.100.1 dev tap0

route -n:

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 tap0
192.168.100.1   0.0.0.0         255.255.255.255 UH    0      0        0 tap0

ifconfig:

Code:
eth0      Link encap:Ethernet  HWaddr 00:19:db:22:5e:e4 
          inet addr:192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10210 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9005 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4878612 (4.6 MiB)  TX bytes:954754 (932.3 KiB)
          Interrupt:45 Base address:0xe000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:776 errors:0 dropped:0 overruns:0 frame:0
          TX packets:776 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:260051 (253.9 KiB)  TX bytes:260051 (253.9 KiB)

tap0      Link encap:Ethernet  HWaddr a2:b3:81:5c:56:09 
          inet addr:192.168.100.254  Bcast:0.0.0.0  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:790 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1182 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:102661 (100.2 KiB)  TX bytes:1110796 (1.0 MiB)

I start kvm guest w/this:

Code:
export MACADDR="52:54:$(dd if=/dev/urandom count=1 2>/dev/null | md5sum | sed 's/^\(..\)\(..\)\(..\)\(..\).*$/\1:\2:\3:\4/')"; kvm -name xp_pt3 -net nic,macaddr=${MACADDR} -net tap,ifname=tap0,script=no,downscript=no /misc/vm_data/kvm_pt3/gentoo-i386.img -usb -usbdevice tablet -boot c

/etc/init.d/kvm:

Code:
 
#NUM_OF_DEVICES=5
NUM_OF_DEVICES=2
#USERID="<your_user>"
USERID="mike"

depend() {
        need net
}

start() {
        /sbin/modprobe kvm
        /sbin/modprobe kvm_intel
        echo "1" > /proc/sys/net/ipv4/ip_forward
**        iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
        eend 0
}

stop() {
        /sbin/modprobe -r kvm_intel
        /sbin/modprobe -r kvm
        echo "0" > /proc/sys/net/ipv4/ip_forward
**        iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
        eend 0
}

and my xp setup:

ip: 192.168.100.1
mask: 255.255.255.0
gw: 192.168.100.254
dns: 192.168.1.1 (my router)

** fwiw the two "**" in kvm script cause this: there is no error doing "-A POST..." in start() (when I add 'eend $? "msg"'), but there is always an error with "-D POST..." in stop():

* Failed to remove masquerade (eth0) [ ok ]

don't know if that's relevant to anything.

thanks.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14281

PostPosted: Sat Sep 10, 2011 2:47 am    Post subject: Reply with quote

nordic bro wrote:
1. after reboot and shorewall running (r4.4.15.1) my guest can't see internet but nfs works
2a. with shorewall stop/clear, guest can use nfs but not see internet
Please post the output of iptables-save -c, not the shorewall configurations.
nordic bro wrote:
to create tap0 I did this:
Code:
modprobe tun
tunctl -u mike
ip addr add 192.168.100.254/24 dev tap0
ip link set tap0 up
sysctl net.ipv4.ip_forward=1
route add -host 192.168.100.1 dev tap0

The explicit route should be unnecessary. The rest looks fine.
nordic bro wrote:
I start kvm guest w/this:

Code:
export MACADDR="52:54:$(dd if=/dev/urandom count=1 2>/dev/null | md5sum | sed 's/^\(..\)\(..\)\(..\)\(..\).*$/\1:\2:\3:\4/')"; kvm -name xp_pt3 -net nic,macaddr=${MACADDR} -net tap,ifname=tap0,script=no,downscript=no /misc/vm_data/kvm_pt3/gentoo-i386.img -usb -usbdevice tablet -boot c

Randomizing the MAC address may work, but is bad practice. Pick a single MAC and stick with it.
nordic bro wrote:

** fwiw the two "**" in kvm script cause this: there is no error doing "-A POST..." in start() (when I add 'eend $? "msg"'), but there is always an error with "-D POST..." in stop():
* Failed to remove masquerade (eth0) [ ok ]
don't know if that's relevant to anything.
You did not specify the exact steps that lead to this, but I suspect this is related to resetting shorewall and letting it wipe your iptables rules.
Back to top
View user's profile Send private message
nordic bro
Guru
Guru


Joined: 25 Oct 2003
Posts: 582

PostPosted: Sat Sep 10, 2011 4:22 am    Post subject: Reply with quote

Quote:
Quote:
1. after reboot and shorewall running (r4.4.15.1) my guest can't see internet but nfs works
2a. with shorewall stop/clear, guest can use nfs but not see internet

Please post the output of iptables-save -c, not the shorewall configurations.

wasn't sure if you wanted both #1 and #2a but this is output for #1 (the posted shorewall setup + kvm script started which is in runlevels/default):

Code:
# Generated by iptables-save v1.4.10 on Sat Sep 10 00:12:39 2011
*raw
:PREROUTING ACCEPT [276:121985]
:OUTPUT ACCEPT [266:27293]
COMMIT
# Completed on Sat Sep 10 00:12:39 2011
# Generated by iptables-save v1.4.10 on Sat Sep 10 00:12:39 2011
*mangle
:PREROUTING ACCEPT [276:121985]
:INPUT ACCEPT [276:121985]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [266:27293]
:POSTROUTING ACCEPT [266:27293]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
[276:121985] -A PREROUTING -j tcpre
[276:121985] -A INPUT -j tcin
[0:0] -A FORWARD -j MARK --set-xmark 0x0/0xff
[0:0] -A FORWARD -j tcfor
[266:27293] -A OUTPUT -j tcout
[266:27293] -A POSTROUTING -j tcpost
COMMIT
# Completed on Sat Sep 10 00:12:39 2011
# Generated by iptables-save v1.4.10 on Sat Sep 10 00:12:39 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:loc2fw - [0:0]
:loc2net - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net2fw - [0:0]
:net2loc - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:tcpflags - [0:0]
[2:89] -A INPUT -m conntrack --ctstate INVALID,NEW -j dynamic
[254:117124] -A INPUT -i eth0 -j net2fw
[0:0] -A INPUT -i tap0 -j loc2fw
[22:4861] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -j Reject
[0:0] -A INPUT -g reject
[0:0] -A FORWARD -m conntrack --ctstate INVALID,NEW -j dynamic
[0:0] -A FORWARD -i eth0 -o tap0 -j net2loc
[0:0] -A FORWARD -i tap0 -o eth0 -j loc2net
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -j Reject
[0:0] -A FORWARD -g reject
[244:22432] -A OUTPUT -o eth0 -j fw2net
[0:0] -A OUTPUT -o tap0 -j fw2loc
[22:4861] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -j Reject
[0:0] -A OUTPUT -g reject
[0:0] -A Drop
[0:0] -A Drop -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject
[0:0] -A Drop -j dropBcast
[0:0] -A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Drop -j dropInvalid
[0:0] -A Drop -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j DROP
[0:0] -A Drop -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j DROP
[0:0] -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j DROP
[0:0] -A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j DROP
[0:0] -A Drop -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP
[0:0] -A Drop -p tcp -j dropNotSyn
[0:0] -A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
[0:0] -A Reject
[0:0] -A Reject -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject
[0:0] -A Reject -j dropBcast
[0:0] -A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Reject -j dropInvalid
[0:0] -A Reject -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j reject
[0:0] -A Reject -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j reject
[0:0] -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j reject
[0:0] -A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j reject
[0:0] -A Reject -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP
[0:0] -A Reject -p tcp -j dropNotSyn
[0:0] -A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
[0:0] -A dropBcast -m addrtype --dst-type BROADCAST -j DROP
[0:0] -A dropBcast -d 224.0.0.0/4 -j DROP
[0:0] -A dropInvalid -m conntrack --ctstate INVALID -j DROP
[0:0] -A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
[0:0] -A fw2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A fw2loc -p tcp -m tcp --dport 5432 -j ACCEPT
[0:0] -A fw2loc -j Reject
[0:0] -A fw2loc -g reject
[0:0] -A fw2net -p udp -m udp --dport 67:68 -j ACCEPT
[187:18861] -A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[57:3571] -A fw2net -j ACCEPT
[0:0] -A loc2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A loc2fw -p tcp -m tcp --dport 5432 -j ACCEPT
[0:0] -A loc2fw -j ACCEPT
[0:0] -A loc2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A loc2net -j Reject
[0:0] -A loc2net -g reject
[0:0] -A logdrop -j DROP
[0:0] -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
[0:0] -A logflags -j DROP
[0:0] -A logreject -j reject
[0:0] -A net2fw -p udp -m udp --dport 67:68 -j ACCEPT
[220:113465] -A net2fw -p tcp -j tcpflags
[254:117124] -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A net2fw -p icmp -m icmp --icmp-type 8 -j DROP
[0:0] -A net2fw -p tcp -m multiport --dports 113,135 -j DROP
[0:0] -A net2fw -j Drop
[0:0] -A net2fw -j DROP
[0:0] -A net2loc -p tcp -j tcpflags
[0:0] -A net2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A net2loc -j Drop
[0:0] -A net2loc -j DROP
[0:0] -A reject -m addrtype --src-type BROADCAST -j DROP
[0:0] -A reject -s 224.0.0.0/4 -j DROP
[0:0] -A reject -p igmp -j DROP
[0:0] -A reject -p tcp -j REJECT --reject-with tcp-reset
[0:0] -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
[0:0] -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
[0:0] -A reject -j REJECT --reject-with icmp-host-prohibited
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
[0:0] -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
COMMIT
# Completed on Sat Sep 10 00:12:39 2011
# Generated by iptables-save v1.4.10 on Sat Sep 10 00:12:39 2011
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [59:3660]
:POSTROUTING ACCEPT [59:3660]
COMMIT
# Completed on Sat Sep 10 00:12:39 2011


and this is #2a ('/etc/init.d/shorewall stop' then 'shorewall clear'):

Code:
# Generated by iptables-save v1.4.10 on Sat Sep 10 00:14:14 2011
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Sep 10 00:14:14 2011
# Generated by iptables-save v1.4.10 on Sat Sep 10 00:14:14 2011
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Sep 10 00:14:14 2011
# Generated by iptables-save v1.4.10 on Sat Sep 10 00:14:14 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Sep 10 00:14:14 2011
# Generated by iptables-save v1.4.10 on Sat Sep 10 00:14:14 2011
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Sep 10 00:14:14 2011


thanks for the help.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14281

PostPosted: Sat Sep 10, 2011 4:13 pm    Post subject: Reply with quote

You must have the MASQUERADE rule for the guest to be able to use the Internet. Shorewall is wiping this rule when it loads, and it is loading after you start net.eth0.
Back to top
View user's profile Send private message
nordic bro
Guru
Guru


Joined: 25 Oct 2003
Posts: 582

PostPosted: Mon Sep 12, 2011 1:44 am    Post subject: Reply with quote

sorry, can't get this stupid thing to work :) do you have any other troubleshooting tips? I've been experimenting w/that iptables-save cmd and see:

Code:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:eth0_masq - [0:0]
[0:0] -A POSTROUTING -o eth0 -j eth0_masq
[0:0] -A eth0_masq -s 192.168.100.0/24 -j MASQUERADE
COMMIT

that's with shorewall running and from what I gather (shorewall-masq man pg/google) my simple /etc/shorewall/masq entry is sufficient:

eth0 192.168.100.0/24

but guest internet doesn't work. if I stop shorewall/clear then reissue the cmd in init.d/kvm script:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

guest internet starts working immediately and to my amateur eye see essentially the same iptables-save output:

Code:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE

where else would I look to see what's the matter?

I thought maybe there was some module I didn't have compiled for the more refined shorewall masq version although I don't get any start errors; however I still went through kernel cfg and M just about everything in netfilter options and still nothing.

one other thing, w/o shorewall I can ping router from guest and guest from host; w/shorewall either ping just says "Destination host unreachable" but imagine there's a shorewall rule/policy somewhere that blocks them and it otherwise doesn't mean anything?


edit: incidentally if it matters here's the entire output w/shorewall running:

Code:
# Generated by iptables-save v1.4.10 on Sun Sep 11 21:52:16 2011
*raw
:PREROUTING ACCEPT [311:155608]
:OUTPUT ACCEPT [305:33043]
COMMIT
# Completed on Sun Sep 11 21:52:16 2011
# Generated by iptables-save v1.4.10 on Sun Sep 11 21:52:16 2011
*mangle
:PREROUTING ACCEPT [311:155608]
:INPUT ACCEPT [311:155608]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [305:33043]
:POSTROUTING ACCEPT [305:33043]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
[311:155608] -A PREROUTING -j tcpre
[311:155608] -A INPUT -j tcin
[0:0] -A FORWARD -j MARK --set-xmark 0x0/0xff
[0:0] -A FORWARD -j tcfor
[305:33043] -A OUTPUT -j tcout
[305:33043] -A POSTROUTING -j tcpost
COMMIT
# Completed on Sun Sep 11 21:52:16 2011
# Generated by iptables-save v1.4.10 on Sun Sep 11 21:52:16 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:loc2fw - [0:0]
:loc2net - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net2fw - [0:0]
:net2loc - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:tcpflags - [0:0]
[0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j dynamic
[305:153440] -A INPUT -i eth0 -j net2fw
[0:0] -A INPUT -i tap0 -j loc2fw
[6:2168] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -j Reject
[0:0] -A INPUT -g reject
[0:0] -A FORWARD -m conntrack --ctstate INVALID,NEW -j dynamic
[0:0] -A FORWARD -i eth0 -o tap0 -j net2loc
[0:0] -A FORWARD -i tap0 -o eth0 -j loc2net
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -j Reject
[0:0] -A FORWARD -g reject
[299:30875] -A OUTPUT -o eth0 -j fw2net
[0:0] -A OUTPUT -o tap0 -j fw2loc
[6:2168] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -j Reject
[0:0] -A OUTPUT -g reject
[0:0] -A Drop
[0:0] -A Drop -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject
[0:0] -A Drop -j dropBcast
[0:0] -A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Drop -j dropInvalid
[0:0] -A Drop -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j DROP
[0:0] -A Drop -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j DROP
[0:0] -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j DROP
[0:0] -A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j DROP
[0:0] -A Drop -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP
[0:0] -A Drop -p tcp -j dropNotSyn
[0:0] -A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
[0:0] -A Reject
[0:0] -A Reject -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject
[0:0] -A Reject -j dropBcast
[0:0] -A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
[0:0] -A Reject -j dropInvalid
[0:0] -A Reject -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j reject
[0:0] -A Reject -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j reject
[0:0] -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j reject
[0:0] -A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j reject
[0:0] -A Reject -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP
[0:0] -A Reject -p tcp -j dropNotSyn
[0:0] -A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
[0:0] -A dropBcast -m addrtype --dst-type BROADCAST -j DROP
[0:0] -A dropBcast -d 224.0.0.0/4 -j DROP
[0:0] -A dropInvalid -m conntrack --ctstate INVALID -j DROP
[0:0] -A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
[0:0] -A fw2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A fw2loc -p tcp -m tcp --dport 5432 -j ACCEPT
[0:0] -A fw2loc -j Reject
[0:0] -A fw2loc -g reject
[0:0] -A fw2net -p udp -m udp --dport 67:68 -j ACCEPT
[242:27353] -A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[57:3522] -A fw2net -j ACCEPT
[0:0] -A loc2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A loc2fw -p tcp -m tcp --dport 5432 -j ACCEPT
[0:0] -A loc2fw -j ACCEPT
[0:0] -A loc2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A loc2net -j Reject
[0:0] -A loc2net -g reject
[0:0] -A logdrop -j DROP
[0:0] -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
[0:0] -A logflags -j DROP
[0:0] -A logreject -j reject
[0:0] -A net2fw -p udp -m udp --dport 67:68 -j ACCEPT
[277:150794] -A net2fw -p tcp -j tcpflags
[305:153440] -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A net2fw -p icmp -m icmp --icmp-type 8 -j DROP
[0:0] -A net2fw -p tcp -m multiport --dports 113,135 -j DROP
[0:0] -A net2fw -j Drop
[0:0] -A net2fw -j DROP
[0:0] -A net2loc -p tcp -j tcpflags
[0:0] -A net2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A net2loc -j Drop
[0:0] -A net2loc -j DROP
[0:0] -A reject -m addrtype --src-type BROADCAST -j DROP
[0:0] -A reject -s 224.0.0.0/4 -j DROP
[0:0] -A reject -p igmp -j DROP
[0:0] -A reject -p tcp -j REJECT --reject-with tcp-reset
[0:0] -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
[0:0] -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
[0:0] -A reject -j REJECT --reject-with icmp-host-prohibited
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
[0:0] -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
COMMIT
# Completed on Sun Sep 11 21:52:16 2011
# Generated by iptables-save v1.4.10 on Sun Sep 11 21:52:16 2011
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [57:3522]
:POSTROUTING ACCEPT [57:3522]
:eth0_masq - [0:0]
[57:3522] -A POSTROUTING -o eth0 -j eth0_masq
[0:0] -A eth0_masq -s 192.168.100.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Sep 11 21:52:16 2011
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14281

PostPosted: Mon Sep 12, 2011 2:31 am    Post subject: Reply with quote

If stopping shorewall makes the guest work, then that would indicate that shorewall is adding rules that interfere with proper operation. The shorewall-generated configuration is rather ugly, so there could be problems hiding in it. Check the kernel output for any dropped traffic. If you cannot find anything there, consider clearing the shorewall rules and writing packet filter rules by hand.
Back to top
View user's profile Send private message
nordic bro
Guru
Guru


Joined: 25 Oct 2003
Posts: 582

PostPosted: Mon Sep 19, 2011 5:39 pm    Post subject: Reply with quote

figured I should come clean so I could close this post - problem was user error. after more gnashing of teeth I found/added these to shorewall/rules:

DNS(ACCEPT) loc net
HTTP(ACCEPT) loc net
HTTPS(ACCEPT) loc net

using some of the tips I got from your replies it appeared to me tap0 was transmitting but not going anywhere; those rules completed the circuit so everything w/guest works fine now.

in the end I got the setup I wanted and learned a couple cool things so thanks again for the help.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum