Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
KVM on a Gentoo home router host with non-nat bridged netwk
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mondjef
n00b
n00b


Joined: 13 Jun 2011
Posts: 40
Location: Ottawa, ON...Canada

PostPosted: Sat Jan 28, 2012 5:59 pm    Post subject: KVM on a Gentoo home router host with non-nat bridged netwk Reply with quote

ok, I have been all over the net and back again and it is apparent that my knowledge of networking knowledge needs to be improved. I have a gentoo linux home router that I setup using the following guide to setup right down to the "T" http://www.gentoo.org/doc/en/home-router-howto.xml. Now I would like to set up KVM virtualization on this machine (the host).

Through numerous guides I have managed to configure the kernel as necessary and install the needed packages via emerge. Now my problem is getting the network set up so that the guest OS can receive an IP address on the local network and are able to communication with the outside and on the LAN. For understanding how to go about setting up the network I have looked at the two following links for setting up Bridged networking between the host and the guest with no success http://en.gentoo-wiki.com/wiki/KVM and http://www.linux-kvm.org/page/KvmOnGentoo. When I set up the bridge I get no internet access from other clients connected to this Gentoo home router and these clients can no longer SSH into the Gentoo home router, in other words it seems the clients connected to this router no longer receive IP addresses via DHCP. Is there something that I am missing that would be unique to my setup...do I need to alter dnsmasq and/or iptables to get this to work? Any help would be greatly appreciated.

Let me know if any config files are needed for understanding.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16036

PostPosted: Sat Jan 28, 2012 6:43 pm    Post subject: Reply with quote

If I understand correctly, you are already using NAT for your real machines, but you want to bridge the guest. Is this correct? If so, why do you want to do this? Mixing bridging with NAT can be done, but is often more complex than just using NAT consistently.

Please post the output of emerge --info app-emulation/qemu-kvm ; ps -efwwww | grep qemu ; iptables-save -c | cat -n; brctl show; ip addr show; grep -E '^[^#]' /path/to/dnsmasq.conf.
Back to top
View user's profile Send private message
mondjef
n00b
n00b


Joined: 13 Jun 2011
Posts: 40
Location: Ottawa, ON...Canada

PostPosted: Sat Jan 28, 2012 8:56 pm    Post subject: Reply with quote

Hu wrote:
If I understand correctly, you are already using NAT for your real machines, but you want to bridge the guest. Is this correct? If so, why do you want to do this? Mixing bridging with NAT can be done, but is often more complex than just using NAT consistently.

Please post the output of emerge --info app-emulation/qemu-kvm ; ps -efwwww | grep qemu ; iptables-save -c | cat -n; brctl show; ip addr show; grep -E '^[^#]' /path/to/dnsmasq.conf.


Hi Hu thanks for helping me out, here is the info you requested. Yes, I am already using NAT for my real machines and is being provided by a Gentoo machine I setup as a home router. It is this same machine I want to run some VMs on. Some of the commands do not show much due to the fact I disabled the bridge because it is not working and I needed my internet back up in the meantime. I have included my net configuration file so that you can see what I had set up for the bridge part. I am not that strong when it comes to network topology and iptables but I guess what I want is some sort of way to get the guest VM to be on the local LAN and be accessible like a regular machine and also be able to reach the internet. Could I just create interfaces get the guest OS to use them and route traffic to them? I am really confused when it comes to this stuff.


Portage 2.1.10.44 (hardened/linux/amd64, gcc-4.5.3, glibc-2.13-r4, 2.6.37-gentoo-r4 x86_64)
=================================================================
System Settings
=================================================================
System uname: Linux-2.6.37-gentoo-r4-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_5600+-with-gentoo-2.0.3
Timestamp of tree: Sat, 28 Jan 2012 01:30:01 +0000
app-shells/bash: 4.1_p9
dev-lang/python: 2.7.2-r3, 3.1.4-r3
dev-util/cmake: 2.8.4-r1
dev-util/pkgconfig: 0.26
sys-apps/baselayout: 2.0.3
sys-apps/openrc: 0.9.8.2
sys-apps/sandbox: 2.5
sys-devel/autoconf: 2.68
sys-devel/automake: 1.11.1
sys-devel/binutils: 2.21.1-r1
sys-devel/gcc: 4.5.3-r1
sys-devel/gcc-config: 1.4.1-r1
sys-devel/libtool: 2.4-r1
sys-devel/make: 3.82-r1
sys-kernel/linux-headers: 3.1 (virtual/os-headers)
sys-libs/glibc: 2.13-r4
Repositories: gentoo sunrise freeswitch xgr x-portage
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=k8 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=k8 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="ftp://ftp.spline.inf.fu-berlin.de/mirrors/gentoo/ rsync://mirror.neolabs.kz/gentoo http://mirror.datapipe.net/gentoo ftp://mirror.datapipe.net/gentoo http://gentoo.mirrors.tds.net/gentoo"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/sunrise /var/lib/layman/freeswitch /var/lib/layman/xgr /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="a52 aac acl alsa amd64 berkdb bzip2 cddda cdparanoia cdr cli cracklib crypt cups curl cxx divx dri dvb dvd dvdr encode ffmpeg flac gdbm gif gpm gsm gzip hardened iconv ipv6 jpeg jpeg2k justify mad matroska matrox mmx modules mp3 mp4 mpeg mudflap multilib musepack musicbrainz mysql mysqli nas ncurses nls nptl nptlonly ogg openmp pam pax_kernel pcre perl php png pppd quicktime raw rawpack readline session shorten smp speex sse sse2 ssl sysfs tcpd theora threads tiff udev unicode urandom v4l vorbis wavpack wmf x264 xorg xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" PHP_TARGETS="php5-3" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
Package Settings
=================================================================

app-emulation/qemu-kvm-0.15.1-r1 was built with the following:
USE="aio alsa curl hardened jpeg (multilib) ncurses png ssl threads vhost-net -bluetooth -brltty -debug (-esd) -fdt -nss -pulseaudio -qemu-ifup (-rbd) -sasl -sdl -spice -vde -xattr -xen" QEMU_SOFTMMU_TARGETS="i386 x86_64 (-arm) -cris (-m68k) -microblaze (-mips) -mips64 -mips64el -mipsel (-ppc) (-ppc64) -ppcemb -sh4 -sh4eb (-sparc) -sparc64" QEMU_USER_TARGETS="i386 x86_64 (-alpha) (-arm) -armeb -cris (-m68k) -microblaze (-mips) -mipsel (-ppc) (-ppc64) -ppc64abi32 -sh4 -sh4eb (-sparc) -sparc32plus -sparc64"

ps -efwwww | grep qemu
root 3411 3383 0 15:58 pts/1 00:00:00 grep --colour=auto qemu

iptables-save -c | cat -n
1 # Generated by iptables-save v1.4.12.1 on Sat Jan 28 15:59:26 2012
2 *raw
3 :PREROUTING ACCEPT [261860734:203507743783]
4 :OUTPUT ACCEPT [150497817:182355598803]
5 COMMIT
6 # Completed on Sat Jan 28 15:59:26 2012
7 # Generated by iptables-save v1.4.12.1 on Sat Jan 28 15:59:26 2012
8 *nat
9 :PREROUTING ACCEPT [41768:2743402]
10 :INPUT ACCEPT [34832:2305212]
11 :OUTPUT ACCEPT [5495:382034]
12 :POSTROUTING ACCEPT [99:18397]
13 [2042246:134709496] -A POSTROUTING -o ppp0 -j MASQUERADE
14 COMMIT
15 # Completed on Sat Jan 28 15:59:26 2012
16 # Generated by iptables-save v1.4.12.1 on Sat Jan 28 15:59:26 2012
17 *mangle
18 :PREROUTING ACCEPT [1878264:1540759585]
19 :INPUT ACCEPT [1514621:1262881008]
20 :FORWARD ACCEPT [363607:277873503]
21 :OUTPUT ACCEPT [998247:831804787]
22 :POSTROUTING ACCEPT [1361872:1109689028]
23 :THESHAPER - [0:0]
24 [1243665:74435420] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
25 [8172740:608021379] -A POSTROUTING -o ppp0 -j THESHAPER
26 [7023821:376002484] -A THESHAPER -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -m length --length 0:64 -j CLASSIFY --set-class 0001:0002
27 [10075:5456791] -A THESHAPER -p icmp -m length --length 512:65535 -j CLASSIFY --set-class 0001:0004
28 [71952:15315906] -A THESHAPER -p icmp -m length --length 0:512 -j CLASSIFY --set-class 0001:0002
29 [0:0] -A THESHAPER -p udp -m udp --sport 22 -j CLASSIFY --set-class 0001:0002
30 [0:0] -A THESHAPER -p udp -m udp --dport 22 -j CLASSIFY --set-class 0001:0002
31 [0:0] -A THESHAPER -p tcp -m tcp --sport 22 -j CLASSIFY --set-class 0001:0002
32 [0:0] -A THESHAPER -p tcp -m tcp --dport 22 -j CLASSIFY --set-class 0001:0002
33 [0:0] -A THESHAPER -p udp -m udp --sport 23 -j CLASSIFY --set-class 0001:0002
34 [0:0] -A THESHAPER -p udp -m udp --dport 23 -j CLASSIFY --set-class 0001:0002
35 [0:0] -A THESHAPER -p tcp -m tcp --sport 23 -j CLASSIFY --set-class 0001:0002
36 [0:0] -A THESHAPER -p tcp -m tcp --dport 23 -j CLASSIFY --set-class 0001:0002
37 [0:0] -A THESHAPER -p udp -m udp --sport 53 -j CLASSIFY --set-class 0001:0002
38 [20524:1361793] -A THESHAPER -p udp -m udp --dport 53 -j CLASSIFY --set-class 0001:0002
39 [0:0] -A THESHAPER -p tcp -m tcp --sport 53 -j CLASSIFY --set-class 0001:0002
40 [1:40] -A THESHAPER -p tcp -m tcp --dport 53 -j CLASSIFY --set-class 0001:0002
41 [1:60] -A THESHAPER -p udp -m udp --sport 3389 -j CLASSIFY --set-class 0001:0002
42 [0:0] -A THESHAPER -p udp -m udp --dport 3389 -j CLASSIFY --set-class 0001:0002
43 [82:3280] -A THESHAPER -p tcp -m tcp --sport 3389 -j CLASSIFY --set-class 0001:0002
44 [2:80] -A THESHAPER -p tcp -m tcp --dport 3389 -j CLASSIFY --set-class 0001:0002
45 [0:0] -A THESHAPER -p udp -m udp --sport 5900 -j CLASSIFY --set-class 0001:0002
46 [0:0] -A THESHAPER -p udp -m udp --dport 5900 -j CLASSIFY --set-class 0001:0002
47 [41:1640] -A THESHAPER -p tcp -m tcp --sport 5900 -j CLASSIFY --set-class 0001:0002
48 [0:0] -A THESHAPER -p tcp -m tcp --dport 5900 -j CLASSIFY --set-class 0001:0002
49 [53643:34260376] -A THESHAPER -p udp -m udp --sport 5060:5100 -j CLASSIFY --set-class 0001:0003
50 [53633:34259746] -A THESHAPER -p udp -m udp --dport 5060:5100 -j CLASSIFY --set-class 0001:0003
51 [0:0] -A THESHAPER -p tcp -m tcp --sport 5060:5100 -j CLASSIFY --set-class 0001:0003
52 [0:0] -A THESHAPER -p tcp -m tcp --dport 5060:5100 -j CLASSIFY --set-class 0001:0003
53 [396629:78895914] -A THESHAPER -p udp -m udp --sport 10000:20000 -j CLASSIFY --set-class 0001:0003
54 [520345:104003244] -A THESHAPER -p udp -m udp --dport 10000:20000 -j CLASSIFY --set-class 0001:0003
55 [19995:799800] -A THESHAPER -p tcp -m tcp --sport 10000:20000 -j CLASSIFY --set-class 0001:0003
56 [1913:108855] -A THESHAPER -p tcp -m tcp --dport 10000:20000 -j CLASSIFY --set-class 0001:0003
57 [2:123] -A THESHAPER -p udp -m udp --sport 5000:5059 -j CLASSIFY --set-class 0001:0003
58 [0:0] -A THESHAPER -p udp -m udp --dport 5000:5059 -j CLASSIFY --set-class 0001:0003
59 [0:0] -A THESHAPER -p tcp -m tcp --sport 5000:5059 -j CLASSIFY --set-class 0001:0003
60 [3:120] -A THESHAPER -p tcp -m tcp --dport 5000:5059 -j CLASSIFY --set-class 0001:0003
61 [10:655] -A THESHAPER -p udp -m udp --sport 8000:8016 -j CLASSIFY --set-class 0001:0003
62 [0:0] -A THESHAPER -p udp -m udp --dport 8000:8016 -j CLASSIFY --set-class 0001:0003
63 [2:80] -A THESHAPER -p tcp -m tcp --sport 8000:8016 -j CLASSIFY --set-class 0001:0003
64 [4:160] -A THESHAPER -p tcp -m tcp --dport 8000:8016 -j CLASSIFY --set-class 0001:0003
65 [0:0] -A THESHAPER -p udp -m udp --sport 5004 -j CLASSIFY --set-class 0001:0003
66 [0:0] -A THESHAPER -p udp -m udp --dport 5004 -j CLASSIFY --set-class 0001:0003
67 [0:0] -A THESHAPER -p tcp -m tcp --sport 5004 -j CLASSIFY --set-class 0001:0003
68 [0:0] -A THESHAPER -p tcp -m tcp --dport 5004 -j CLASSIFY --set-class 0001:0003
69 [0:0] -A THESHAPER -p udp -m udp --sport 1720 -j CLASSIFY --set-class 0001:0003
70 [0:0] -A THESHAPER -p udp -m udp --dport 1720 -j CLASSIFY --set-class 0001:0003
71 [0:0] -A THESHAPER -p tcp -m tcp --sport 1720 -j CLASSIFY --set-class 0001:0003
72 [0:0] -A THESHAPER -p tcp -m tcp --dport 1720 -j CLASSIFY --set-class 0001:0003
73 [0:0] -A THESHAPER -p udp -m udp --sport 1731 -j CLASSIFY --set-class 0001:0003
74 [0:0] -A THESHAPER -p udp -m udp --dport 1731 -j CLASSIFY --set-class 0001:0003
75 [0:0] -A THESHAPER -p tcp -m tcp --sport 1731 -j CLASSIFY --set-class 0001:0003
76 [0:0] -A THESHAPER -p tcp -m tcp --dport 1731 -j CLASSIFY --set-class 0001:0003
77 [0:0] -A THESHAPER -p udp -m udp --sport 80 -j CLASSIFY --set-class 0001:0004
78 [0:0] -A THESHAPER -p udp -m udp --dport 80 -j CLASSIFY --set-class 0001:0004
79 [1949:332543] -A THESHAPER -p tcp -m tcp --sport 80 -j CLASSIFY --set-class 0001:0004
80 [885521:70397908] -A THESHAPER -p tcp -m tcp --dport 80 -j CLASSIFY --set-class 0001:0004
81 [0:0] -A THESHAPER -p udp -m udp --sport 443 -j CLASSIFY --set-class 0001:0004
82 [0:0] -A THESHAPER -p udp -m udp --dport 443 -j CLASSIFY --set-class 0001:0004
83 [0:0] -A THESHAPER -p tcp -m tcp --sport 443 -j CLASSIFY --set-class 0001:0004
84 [6443382:364768277] -A THESHAPER -p tcp -m tcp --dport 443 -j CLASSIFY --set-class 0001:0004
85 [1:68] -A THESHAPER -p udp -m udp --sport 8080 -j CLASSIFY --set-class 0001:0004
86 [0:0] -A THESHAPER -p udp -m udp --dport 8080 -j CLASSIFY --set-class 0001:0004
87 [55:7004] -A THESHAPER -p tcp -m tcp --sport 8080 -j CLASSIFY --set-class 0001:0004
88 [0:0] -A THESHAPER -p tcp -m tcp --dport 8080 -j CLASSIFY --set-class 0001:0004
89 [0:0] -A THESHAPER -p udp -m udp --sport 110 -j CLASSIFY --set-class 0001:0006
90 [0:0] -A THESHAPER -p udp -m udp --dport 110 -j CLASSIFY --set-class 0001:0006
91 [0:0] -A THESHAPER -p tcp -m tcp --sport 110 -j CLASSIFY --set-class 0001:0006
92 [0:0] -A THESHAPER -p tcp -m tcp --dport 110 -j CLASSIFY --set-class 0001:0006
93 [0:0] -A THESHAPER -p udp -m udp --sport 25 -j CLASSIFY --set-class 0001:0006
94 [0:0] -A THESHAPER -p udp -m udp --dport 25 -j CLASSIFY --set-class 0001:0006
95 [0:0] -A THESHAPER -p tcp -m tcp --sport 25 -j CLASSIFY --set-class 0001:0006
96 [7:448] -A THESHAPER -p tcp -m tcp --dport 25 -j CLASSIFY --set-class 0001:0006
97 [0:0] -A THESHAPER -p udp -m udp --sport 21 -j CLASSIFY --set-class 0001:0006
98 [0:0] -A THESHAPER -p udp -m udp --dport 21 -j CLASSIFY --set-class 0001:0006
99 [0:0] -A THESHAPER -p tcp -m tcp --sport 21 -j CLASSIFY --set-class 0001:0006
100 [1036:57940] -A THESHAPER -p tcp -m tcp --dport 21 -j CLASSIFY --set-class 0001:0006
101 [0:0] -A THESHAPER -p udp -m udp --sport 143 -j CLASSIFY --set-class 0001:0006
102 [0:0] -A THESHAPER -p udp -m udp --dport 143 -j CLASSIFY --set-class 0001:0006
103 [0:0] -A THESHAPER -p tcp -m tcp --sport 143 -j CLASSIFY --set-class 0001:0006
104 [0:0] -A THESHAPER -p tcp -m tcp --dport 143 -j CLASSIFY --set-class 0001:0006
105 [0:0] -A THESHAPER -p udp -m udp --sport 445 -j CLASSIFY --set-class 0001:0006
106 [0:0] -A THESHAPER -p udp -m udp --dport 445 -j CLASSIFY --set-class 0001:0006
107 [0:0] -A THESHAPER -p tcp -m tcp --sport 445 -j CLASSIFY --set-class 0001:0006
108 [0:0] -A THESHAPER -p tcp -m tcp --dport 445 -j CLASSIFY --set-class 0001:0006
109 [0:0] -A THESHAPER -p udp -m udp --sport 137:139 -j CLASSIFY --set-class 0001:0006
110 [0:0] -A THESHAPER -p udp -m udp --dport 137:139 -j CLASSIFY --set-class 0001:0006
111 [0:0] -A THESHAPER -p tcp -m tcp --sport 137:139 -j CLASSIFY --set-class 0001:0006
112 [0:0] -A THESHAPER -p tcp -m tcp --dport 137:139 -j CLASSIFY --set-class 0001:0006
113 [0:0] -A THESHAPER -p udp -m udp --sport 4662 -j CLASSIFY --set-class 0001:0006
114 [0:0] -A THESHAPER -p udp -m udp --dport 4662 -j CLASSIFY --set-class 0001:0006
115 [0:0] -A THESHAPER -p tcp -m tcp --sport 4662 -j CLASSIFY --set-class 0001:0006
116 [0:0] -A THESHAPER -p tcp -m tcp --dport 4662 -j CLASSIFY --set-class 0001:0006
117 [0:0] -A THESHAPER -p udp -m udp --sport 4664 -j CLASSIFY --set-class 0001:0006
118 [0:0] -A THESHAPER -p udp -m udp --dport 4664 -j CLASSIFY --set-class 0001:0006
119 [0:0] -A THESHAPER -p tcp -m tcp --sport 4664 -j CLASSIFY --set-class 0001:0006
120 [0:0] -A THESHAPER -p tcp -m tcp --dport 4664 -j CLASSIFY --set-class 0001:0006
121 [34:2191] -A THESHAPER -p udp -m udp --sport 6881:6999 -j CLASSIFY --set-class 0001:0006
122 [0:0] -A THESHAPER -p udp -m udp --dport 6881:6999 -j CLASSIFY --set-class 0001:0006
123 [3249:129960] -A THESHAPER -p tcp -m tcp --sport 6881:6999 -j CLASSIFY --set-class 0001:0006
124 [9:360] -A THESHAPER -p tcp -m tcp --dport 6881:6999 -j CLASSIFY --set-class 0001:0006
125 [22891:2931563] -A THESHAPER -s 192.168.0.124/32 -j CLASSIFY --set-class 0001:0003
126 [0:0] -A THESHAPER -d 192.168.0.124/32 -j CLASSIFY --set-class 0001:0003
127 COMMIT
128 # Completed on Sat Jan 28 15:59:26 2012
129 # Generated by iptables-save v1.4.12.1 on Sat Jan 28 15:59:26 2012
130 *filter
131 :INPUT ACCEPT [20526:17914607]
132 :FORWARD DROP [14:1058]
133 :OUTPUT ACCEPT [998250:831809631]
134 [192628762:74859759957] -A INPUT -i eth0 -j ACCEPT
135 [6192844:3014738098] -A INPUT -s 127.0.0.0/8 -j ACCEPT
136 [5:1640] -A INPUT ! -i eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
137 [205:12566] -A INPUT ! -i eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
138 [17590730:3513609236] -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
139 [59781:3179663] -A INPUT -p tcp -m tcp --dport 10000:20000 -j ACCEPT
140 [2797011:1324915361] -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
141 [2:92] -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT
142 [20143:13025745] -A INPUT -p udp -m udp --dport 5080 -j ACCEPT
143 [0:0] -A INPUT -p tcp -m tcp --dport 5080 -j ACCEPT
144 [525803:126748358] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
145 [30093:1576700] -A INPUT ! -i eth0 -p tcp -m tcp --dport 0:1023 -j DROP
146 [1201:237338] -A INPUT ! -i eth0 -p udp -m udp --dport 0:1023 -j DROP
147 [69:4180] -A FORWARD -d 192.168.0.0/16 -i eth0 -j DROP
148 [22774964:3726364438] -A FORWARD -s 192.168.0.0/16 -i eth0 -j ACCEPT
149 [28008662:28639477592] -A FORWARD -d 192.168.0.0/16 -i ppp0 -j ACCEPT
150 COMMIT
151 # Completed on Sat Jan 28 15:59:26 2012

brctl show
bridge name bridge id STP enabled interfaces

ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:1b:21:3d:eb:49 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
inet6 fe80::21b:21ff:fe3d:eb49/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:24:1d:21:37:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.0.2/24 brd 192.168.0.255 scope global eth1
inet6 fe80::224:1dff:fe21:376e/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN qlen 3
link/ppp
inet 206.248.160.14 peer 206.248.154.122/32 scope global ppp0


grep -E '^[^#]' /etc/dnsmasq.conf
domain-needed
bogus-priv
interface=eth0
dhcp-range=192.168.0.100,192.168.0.150,255.255.255.0,12h


/etc/conf.d/net

# This blank configuration will automatically use DHCP for any net.*
# scripts in /etc/init.d. To create a more complete configuration,
# please review /etc/conf.d/net.example and save your configuration
# in /etc/conf.d/net (this file :]!).

#setup eth1
config_eth1=( "192.168.0.2/24" )

#PPOE connection (WAN)
config_ppp0=( "ppp" )
link_ppp0="eth1"
plugins_ppp0=( "pppoe" )
username_ppp0="username"
password_ppp0="password"

pppd_ppp0=( # "noauth"
"defaultroute"
"usepeerdns"
# "default-asyncmap"
# "ipcp-accept-remote"
# "ipcp-accept-local"
# "lcp-echo-interval 15"
# "lcp-echo-failure 3"
# "persist"
# "holdoff 5"
# "child-timeout 60"
# "mru 1492"
"mtu 1492"
#lock
)

## noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp

#rc_need_ppp0="net.eth1"

#setup lan
config_eth0="192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255"

#rc_need_br0="net.tap0"
#config_eth0="null" # any any other interfaces you want to bridge
#bridge_br0="eth0"
#config_br0="192.168.0.1/24" # the ip of the original eth0, or dhcp
#brctl_br0=( "setfd 9" "sethello 2" "setmaxage 12" "stp off" )
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16036

PostPosted: Sat Jan 28, 2012 9:34 pm    Post subject: Reply with quote

Please use code tags to wrap output from commands. It groups the output nicely and ensures a font that is often more suitable for large data dumps.

If you want other machines on the LAN to have access to the guest, then bridging is best. You can do tricks with NAT/port forwarding to expose selected guest services to the LAN, but bridging will be cleaner in the long term.

Placing both NICs in a single subnet is rarely wise. I suspect it only works for you now because of the use of PPP for your upstream. It would help if you could show the output as it was when the setup was broken. I have not run dnsmasq on an interface enslaved to a bridge, but I expect that it needs to be reconfigured to listen on br0. I know that your firewall rules are written in such a way that the LAN clients will fail when you switch to the bridge. Packets which arrive on an interface enslaved to a bridge use the name of the bridge, not the name of the enslaved interface, when performing matching. Similarly, packets leaving through an enslaved interface will use the bridge name. If you need to write a rule which knows which enslaved interface received the packet, you can use the physdev match to inspect that. Thus, to use the bridge, you need to s/eth0/br0/ all your firewall rules. Of course, if you change them in place, then they will work only when you use the bridge and will fail if you switch back to an unbridged setup. Using a bridge with only a single port enslaved is fine, so after the rules are converted, everything should work independent of whether a guest is actually running at the time.
Back to top
View user's profile Send private message
mondjef
n00b
n00b


Joined: 13 Jun 2011
Posts: 40
Location: Ottawa, ON...Canada

PostPosted: Sat Jan 28, 2012 9:51 pm    Post subject: Reply with quote

Sorry about the code tags, should have known as I read enough of the posts but rarely get the chance to post and help someone else out...one day.

Ok, at one point in my configuration I had changed dnsmasq to use the br0 interface instead of eth0. I had wondered about the iptables rules having something to do with it. I will reconfigure the bridge, have dnsmasq to use br0 instead of eth0, and last but not least change all my iptables rules to use br0 instead of eth0 and report back whether I can have beer yet or not. Thanks again for taking the time to trouble shout this.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46376
Location: 56N 3W

PostPosted: Sat Jan 28, 2012 10:06 pm    Post subject: Reply with quote

mondjef,

You get to have a beer anyway.

I use Virtual Machine Manager on a remote system for managing my KVMs

The real hardware has four NICs all bridged to a VM router/firewall done with shorewall.
The NICs are for the Internet, the DMZ, wireless and protected wired. I don't use PPPoE as my VDSL 'modem' does that.

I had to draw out the networking several times, with IP numbers, to get it right as I wanted minimal downtime when I switched from a Smoothwall box.
I also have KVMs on that system for a media server and mail server.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
mondjef
n00b
n00b


Joined: 13 Jun 2011
Posts: 40
Location: Ottawa, ON...Canada

PostPosted: Sat Jan 28, 2012 10:11 pm    Post subject: Reply with quote

Success! I can ssh into the box from a client on same LAN and access internet. I will continue with getting the VM running now. Thank you very much for your help.
Back to top
View user's profile Send private message
mondjef
n00b
n00b


Joined: 13 Jun 2011
Posts: 40
Location: Ottawa, ON...Canada

PostPosted: Sat Jan 28, 2012 10:14 pm    Post subject: Reply with quote

NeddySeagoon wrote:
mondjef,

You get to have a beer anyway.

I use Virtual Machine Manager on a remote system for managing my KVMs

The real hardware has four NICs all bridged to a VM router/firewall done with shorewall.
The NICs are for the Internet, the DMZ, wireless and protected wired. I don't use PPPoE as my VDSL 'modem' does that.

I had to draw out the networking several times, with IP numbers, to get it right as I wanted minimal downtime when I switched from a Smoothwall box.
I also have KVMs on that system for a media server and mail server.


Very interesting NeddySeagoon, I am always interested in new ways of doing things that can improve my set up. What were the reasons for you setting things up that way, more secure, easier to manage, performance?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46376
Location: 56N 3W

PostPosted: Sat Jan 28, 2012 10:30 pm    Post subject: Reply with quote

mondjef,

I had been using a 4 way Smoothwall for years for security and the time came when it wasn't fast enough to handel my downlink.

I didn't intend to use bridging - I wanted to use PCI passthrough but the 4 way NIC I bought did not support it. Ooops.
The bare metal install is a minimal hardened install for supporting KVM, which is what I intended. It has its own Physical Volume in a lvm set.

I had to fall back to bridging when PCI passthrough would not work for me, or buy another 4 way NIC.
The KVMs all share a different Physical Volume and have one or more logical volumes each.
I use the virtio drivers as the performace is better then the emulated hardware plus drivers. Using logical volumes for the KVMs cuts out the overhead of a filesystem in a file too.

I did start writing it up but its by no means complete.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
mondjef
n00b
n00b


Joined: 13 Jun 2011
Posts: 40
Location: Ottawa, ON...Canada

PostPosted: Sun Jan 29, 2012 7:42 pm    Post subject: Reply with quote

ok, finally had time to install a VM but now I am having network problems with clients/Guest OS connected to this machine. It seems no clients (DHCP) or Guest OS on the same LAN (receive IP via DHCP also) can communicate with each other. Anyone have any suggestions on where and how to trouble shout this?
Back to top
View user's profile Send private message
jamapii
l33t
l33t


Joined: 16 Sep 2004
Posts: 601

PostPosted: Sun Jan 29, 2012 8:01 pm    Post subject: Reply with quote

I guess most problems will result from lack of doing

Hu wrote:
s/eth0/br0/


for everything, netfilter rules, dnsmasq, mail, squid or any other servers that refer to an interface in their config files.

Not that you should change your configuration now that it works, but for anyone reading this...

In the special case of running VMs on the router, I would recommend a separate internal network (this has been referred to as "Host-only networking" in GUI-dependant VM software). LAN machines will see it as it's covered by the default route. However, as I did it, it involved a bridge device anyway, this is where qemu connects its tap devices. Then, firewall rules refer not to "eth0", but to "any internal device".
Back to top
View user's profile Send private message
jamapii
l33t
l33t


Joined: 16 Sep 2004
Posts: 601

PostPosted: Sun Jan 29, 2012 10:47 pm    Post subject: this message saved from the forums outage Reply with quote

mondjef wrote:
It seems no clients (DHCP) or Guest OS on the same LAN
(receive IP via DHCP also) can communicate with each other. Anyone have any
suggestions on where and how to trouble shout this?


If the DHCP clients have correct IP addresses but can't communicate with
each other, your switch is broken, as (if?) this does not go through the
router.

If the clients just can't reach the router, I think then the bridging is
broken. I also wouldn't completely rule out the firewall rules.

My favourite tool to watch where traffic does or doesn't go is:
iptraf.

My bridging setup in /etc/conf.d/net is
Code:
tuntap_tap0="tap"
brctl_br0="setfd 0
sethello 0
stp off"
bridge_br0="tap0"
config_br0="10.30.12.1/24"
config_tap0="null"
RC_AFTER_br0="net.tap0"         # _NEED_ is broken
rc_need_br0="net.tap0"      # this is overkill, but one of them does it

where tap0 is a dummy device to get br0 started (because I don't add eth0),
and br0 bridges all the VMs together. Yours might be

Code:
brctl_br0="setfd 0
sethello 0
stp off"    # probably leave this out
bridge_br0="eth0"
config_br0="10.1.2.3/24"
rc_need_br0="net.eth0"


I think you may want to leave out the brctl_ lines, maybe it's safer that
way.

And maybe you need a special (non-default) /etc/qemu/qemu-ifup, I don't know
how this is handled usually.

However, this just applies if your test for "it communicates" is ping. If
you mean nfs, cifs/samba, or something like that, there may still be an
"eth0" in the specific config file, waiting to be replaced with br0.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16036

PostPosted: Sun Jan 29, 2012 10:49 pm    Post subject: Reply with quote

mondjef wrote:
Anyone have any suggestions on where and how to trouble shout this?
Please elaborate on the nature of the non-communication. At what layer do they fail to communicate? Which protocols are affected?

Last edited by Hu on Sun Feb 05, 2012 5:54 pm; edited 1 time in total
Back to top
View user's profile Send private message
mondjef
n00b
n00b


Joined: 13 Jun 2011
Posts: 40
Location: Ottawa, ON...Canada

PostPosted: Fri Feb 03, 2012 2:58 am    Post subject: Reply with quote

ok, finally had some more time to trouble shoot this as far as I am capable of given my current linux abilities.

here is how things look:

Host:
ppp0 (eth1)--> wan assigned public ip address by ISP via DHCP
br0 (192.168.0.1)--> bridged with eth0, all LAN clients and VMs connected to this bridge. Both lan clients and vm assigned ips via DHCP from the host so everyone is on the same subnet.

Code:

ifconfig
br0       Link encap:Ethernet  HWaddr 00:1b:21:3d:eb:49 
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:21ff:fe3d:eb49/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:153956 errors:0 dropped:0 overruns:0 frame:0
          TX packets:208086 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:17153054 (16.3 MiB)  TX bytes:197691857 (188.5 MiB)

eth0      Link encap:Ethernet  HWaddr 00:1b:21:3d:eb:49 
          inet6 addr: fe80::21b:21ff:fe3d:eb49/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:123198 errors:0 dropped:0 overruns:0 frame:0
          TX packets:157195 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:17223138 (16.4 MiB)  TX bytes:111684577 (106.5 MiB)
          Interrupt:17 Memory:fdbc0000-fdbe0000

eth1      Link encap:Ethernet  HWaddr 00:24:1d:21:37:6e 
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::224:1dff:fe21:376e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:155334 errors:0 dropped:0 overruns:0 frame:0
          TX packets:116202 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:162469945 (154.9 MiB)  TX bytes:19671558 (18.7 MiB)
          Interrupt:43 Base address:0xe000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:83492 errors:0 dropped:0 overruns:0 frame:0
          TX packets:83492 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:39465340 (37.6 MiB)  TX bytes:39465340 (37.6 MiB)

ppp0      Link encap:Point-to-Point Protocol 
          inet addr:xxx.xxx.xxx.xxx  P-t-P:xxx.xxx.xxx.xxx  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:154954 errors:0 dropped:0 overruns:0 frame:0
          TX packets:115815 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:159038018 (151.6 MiB)  TX bytes:17111588 (16.3 MiB)

vnet0     Link encap:Ethernet  HWaddr fe:54:00:40:b9:07 
          inet6 addr: fe80::fc54:ff:fe40:b907/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30748 errors:0 dropped:0 overruns:0 frame:0
          TX packets:59178 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:2126696 (2.0 MiB)  TX bytes:86541059 (82.5 MiB)

ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:1b:21:3d:eb:49 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::21b:21ff:fe3d:eb49/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:24:1d:21:37:6e brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth1
    inet6 fe80::224:1dff:fe21:376e/64 scope link
       valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
    link/sit 0.0.0.0 brd 0.0.0.0
5: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:1b:21:3d:eb:49 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global br0
    inet6 fe80::21b:21ff:fe3d:eb49/64 scope link
       valid_lft forever preferred_lft forever
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp
    inet xxx.xxx.xxx.xxx peer xxx.xxx.xxx.xxx/32 scope global ppp0
10: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether fe:54:00:40:b9:07 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc54:ff:fe40:b907/64 scope link
       valid_lft forever preferred_lft forever

route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
xxx.xxx.xxx.xxx *               255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     *               255.255.255.0   U     0      0        0 br0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
loopback        rivermistbeast  255.0.0.0       UG    0      0        0 lo
default         xxx.xxx.xxx.xxx 0.0.0.0         UG    4006   0        0 ppp0


Kubuntu Desktop computer: assigned ip 192.168.0.123 via DHCP

Code:

ifconfig
eth1      Link encap:Ethernet  HWaddr 00:e0:18:db:78:e0 
          inet addr:192.168.0.123  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::2e0:18ff:fedb:78e0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3840009 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3014765 errors:0 dropped:0 overruns:3 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4095484213 (4.0 GB)  TX bytes:1794717940 (1.7 GB)
          Interrupt:21 Base address:0xb400

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:295 errors:0 dropped:0 overruns:0 frame:0
          TX packets:295 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:29211 (29.2 KB)  TX bytes:29211 (29.2 KB)

virbr0    Link encap:Ethernet  HWaddr 92:31:2f:22:c1:cf 
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          inet6 addr: fe80::9031:2fff:fe22:c1cf/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2145 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:1090373 (1.0 MB)

route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     1      0        0 eth1
192.168.122.0   *               255.255.255.0   U     0      0        0 virbr0
link-local      *               255.255.0.0     U     1000   0        0 eth1
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1

ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:e0:18:db:78:e0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.123/24 brd 192.168.0.255 scope global eth1
    inet6 fe80::2e0:18ff:fedb:78e0/64 scope link
       valid_lft forever preferred_lft forever
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 92:31:2f:22:c1:cf brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
    inet6 fe80::9031:2fff:fe22:c1cf/64 scope link
       valid_lft forever preferred_lft forever
4: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff




VM: Ubuntu server: assigned ip 192.168.0.130 via DHCP

Code:

ifconfig
eth0      Link encap:Ethernet  HWaddr 52:54:00:40:b9:07 
          inet addr:192.168.0.130  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:ff:fe40:b907/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59344 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30788 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:86553387 (86.5 MB)  TX bytes:2131977 (2.1 MB)

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:15 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:772 (772.0 B)  TX bytes:772 (772.0 B)


route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
localnet        *               255.255.255.0   U     0      0        0 eth0
default         192.168.0.1     0.0.0.0         UG    100    0        0 eth0


ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 52:54:00:40:b9:07 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.130/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::5054:ff:fe40:b907/64 scope link
       valid_lft forever preferred_lft forever



I can ssh/ping from the host to both the VM and the Kubuntu Desktop computer, and I can ping the host from both the VM and the Kubuntu Desktop computer. What I can not seem to do is ssh/ping the VM from another physical computer on the LAN such as the Kubuntu Desktop computer. However, I did have success when I temporarily disable my firewall (iptables) on the host machine which leads me to believe that there is only an issue with firewall rules as previously mentioned by jamapii. Iptables is another thing on my list of things to master, but its not there yet. I looked at the rules and there is only one rule that brings my attention to but I not sure what doors I might be opening if I just out right remove the rule (rule #147 below). Is there something else in my iptables rules that I need to change to get this working (besides I know..."Get a megaphone and a ladder. Get up as high as you can, then begin blasting as much detail as possible to anyone who will listen.")?

Code:

iptables-save -c | cat -n
     1   # Generated by iptables-save v1.4.12.1 on Thu Feb  2 21:58:25 2012
     2   *raw
     3   :PREROUTING ACCEPT [13115083:10049563998]
     4   :OUTPUT ACCEPT [5138885:7341377909]
     5   COMMIT
     6   # Completed on Thu Feb  2 21:58:25 2012
     7   # Generated by iptables-save v1.4.12.1 on Thu Feb  2 21:58:25 2012
     8   *nat
     9   :PREROUTING ACCEPT [57753:3757692]
    10   :INPUT ACCEPT [32044:2163246]
    11   :OUTPUT ACCEPT [20301:1402719]
    12   :POSTROUTING ACCEPT [4941:309163]
    13   [40527:2652644] -A POSTROUTING -o ppp0 -j MASQUERADE
    14   COMMIT
    15   # Completed on Thu Feb  2 21:58:25 2012
    16   # Generated by iptables-save v1.4.12.1 on Thu Feb  2 21:58:25 2012
    17   *mangle
    18   :PREROUTING ACCEPT [13115076:10049555006]
    19   :INPUT ACCEPT [8269087:5484942719]
    20   :FORWARD ACCEPT [4849056:4564763760]
    21   :OUTPUT ACCEPT [5138879:7341377549]
    22   :POSTROUTING ACCEPT [9987781:11906097529]
    23   :THESHAPER - [0:0]
    24   [44860:2722592] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    25   [3776264:325524432] -A POSTROUTING -o ppp0 -j THESHAPER
    26   [2997321:160590422] -A THESHAPER -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK ACK -m length --length 0:64 -j CLASSIFY --set-class 0001:0002
    27   [442:240053] -A THESHAPER -p icmp -m length --length 512:65535 -j CLASSIFY --set-class 0001:0004
    28   [11262:1984064] -A THESHAPER -p icmp -m length --length 0:512 -j CLASSIFY --set-class 0001:0002
    29   [0:0] -A THESHAPER -p udp -m udp --sport 22 -j CLASSIFY --set-class 0001:0002
    30   [0:0] -A THESHAPER -p udp -m udp --dport 22 -j CLASSIFY --set-class 0001:0002
    31   [0:0] -A THESHAPER -p tcp -m tcp --sport 22 -j CLASSIFY --set-class 0001:0002
    32   [0:0] -A THESHAPER -p tcp -m tcp --dport 22 -j CLASSIFY --set-class 0001:0002
    33   [0:0] -A THESHAPER -p udp -m udp --sport 23 -j CLASSIFY --set-class 0001:0002
    34   [0:0] -A THESHAPER -p udp -m udp --dport 23 -j CLASSIFY --set-class 0001:0002
    35   [0:0] -A THESHAPER -p tcp -m tcp --sport 23 -j CLASSIFY --set-class 0001:0002
    36   [0:0] -A THESHAPER -p tcp -m tcp --dport 23 -j CLASSIFY --set-class 0001:0002
    37   [0:0] -A THESHAPER -p udp -m udp --sport 53 -j CLASSIFY --set-class 0001:0002
    38   [15618:1027629] -A THESHAPER -p udp -m udp --dport 53 -j CLASSIFY --set-class 0001:0002
    39   [0:0] -A THESHAPER -p tcp -m tcp --sport 53 -j CLASSIFY --set-class 0001:0002
    40   [0:0] -A THESHAPER -p tcp -m tcp --dport 53 -j CLASSIFY --set-class 0001:0002
    41   [0:0] -A THESHAPER -p udp -m udp --sport 3389 -j CLASSIFY --set-class 0001:0002
    42   [0:0] -A THESHAPER -p udp -m udp --dport 3389 -j CLASSIFY --set-class 0001:0002
    43   [55:2200] -A THESHAPER -p tcp -m tcp --sport 3389 -j CLASSIFY --set-class 0001:0002
    44   [1:40] -A THESHAPER -p tcp -m tcp --dport 3389 -j CLASSIFY --set-class 0001:0002
    45   [0:0] -A THESHAPER -p udp -m udp --sport 5900 -j CLASSIFY --set-class 0001:0002
    46   [0:0] -A THESHAPER -p udp -m udp --dport 5900 -j CLASSIFY --set-class 0001:0002
    47   [17:680] -A THESHAPER -p tcp -m tcp --sport 5900 -j CLASSIFY --set-class 0001:0002
    48   [0:0] -A THESHAPER -p tcp -m tcp --dport 5900 -j CLASSIFY --set-class 0001:0002
    49   [18869:14448825] -A THESHAPER -p udp -m udp --sport 5060:5100 -j CLASSIFY --set-class 0001:0003
    50   [18857:14448052] -A THESHAPER -p udp -m udp --dport 5060:5100 -j CLASSIFY --set-class 0001:0003
    51   [0:0] -A THESHAPER -p tcp -m tcp --sport 5060:5100 -j CLASSIFY --set-class 0001:0003
    52   [0:0] -A THESHAPER -p tcp -m tcp --dport 5060:5100 -j CLASSIFY --set-class 0001:0003
    53   [489947:97677378] -A THESHAPER -p udp -m udp --sport 10000:20000 -j CLASSIFY --set-class 0001:0003
    54   [488004:97570389] -A THESHAPER -p udp -m udp --dport 10000:20000 -j CLASSIFY --set-class 0001:0003
    55   [5502:220080] -A THESHAPER -p tcp -m tcp --sport 10000:20000 -j CLASSIFY --set-class 0001:0003
    56   [11178:1546928] -A THESHAPER -p tcp -m tcp --dport 10000:20000 -j CLASSIFY --set-class 0001:0003
    57   [13:832] -A THESHAPER -p udp -m udp --sport 5000:5059 -j CLASSIFY --set-class 0001:0003
    58   [1:128] -A THESHAPER -p udp -m udp --dport 5000:5059 -j CLASSIFY --set-class 0001:0003
    59   [1:40] -A THESHAPER -p tcp -m tcp --sport 5000:5059 -j CLASSIFY --set-class 0001:0003
    60   [5:212] -A THESHAPER -p tcp -m tcp --dport 5000:5059 -j CLASSIFY --set-class 0001:0003
    61   [2:134] -A THESHAPER -p udp -m udp --sport 8000:8016 -j CLASSIFY --set-class 0001:0003
    62   [0:0] -A THESHAPER -p udp -m udp --dport 8000:8016 -j CLASSIFY --set-class 0001:0003
    63   [0:0] -A THESHAPER -p tcp -m tcp --sport 8000:8016 -j CLASSIFY --set-class 0001:0003
    64   [0:0] -A THESHAPER -p tcp -m tcp --dport 8000:8016 -j CLASSIFY --set-class 0001:0003
    65   [0:0] -A THESHAPER -p udp -m udp --sport 5004 -j CLASSIFY --set-class 0001:0003
    66   [0:0] -A THESHAPER -p udp -m udp --dport 5004 -j CLASSIFY --set-class 0001:0003
    67   [0:0] -A THESHAPER -p tcp -m tcp --sport 5004 -j CLASSIFY --set-class 0001:0003
    68   [0:0] -A THESHAPER -p tcp -m tcp --dport 5004 -j CLASSIFY --set-class 0001:0003
    69   [1:63] -A THESHAPER -p udp -m udp --sport 1720 -j CLASSIFY --set-class 0001:0003
    70   [0:0] -A THESHAPER -p udp -m udp --dport 1720 -j CLASSIFY --set-class 0001:0003
    71   [0:0] -A THESHAPER -p tcp -m tcp --sport 1720 -j CLASSIFY --set-class 0001:0003
    72   [0:0] -A THESHAPER -p tcp -m tcp --dport 1720 -j CLASSIFY --set-class 0001:0003
    73   [0:0] -A THESHAPER -p udp -m udp --sport 1731 -j CLASSIFY --set-class 0001:0003
    74   [0:0] -A THESHAPER -p udp -m udp --dport 1731 -j CLASSIFY --set-class 0001:0003
    75   [0:0] -A THESHAPER -p tcp -m tcp --sport 1731 -j CLASSIFY --set-class 0001:0003
    76   [0:0] -A THESHAPER -p tcp -m tcp --dport 1731 -j CLASSIFY --set-class 0001:0003
    77   [0:0] -A THESHAPER -p udp -m udp --sport 80 -j CLASSIFY --set-class 0001:0004
    78   [0:0] -A THESHAPER -p udp -m udp --dport 80 -j CLASSIFY --set-class 0001:0004
    79   [473:101960] -A THESHAPER -p tcp -m tcp --sport 80 -j CLASSIFY --set-class 0001:0004
    80   [1540229:104170849] -A THESHAPER -p tcp -m tcp --dport 80 -j CLASSIFY --set-class 0001:0004
    81   [0:0] -A THESHAPER -p udp -m udp --sport 443 -j CLASSIFY --set-class 0001:0004
    82   [0:0] -A THESHAPER -p udp -m udp --dport 443 -j CLASSIFY --set-class 0001:0004
    83   [0:0] -A THESHAPER -p tcp -m tcp --sport 443 -j CLASSIFY --set-class 0001:0004
    84   [1527454:93479594] -A THESHAPER -p tcp -m tcp --dport 443 -j CLASSIFY --set-class 0001:0004
    85   [0:0] -A THESHAPER -p udp -m udp --sport 8080 -j CLASSIFY --set-class 0001:0004
    86   [0:0] -A THESHAPER -p udp -m udp --dport 8080 -j CLASSIFY --set-class 0001:0004
    87   [57:6880] -A THESHAPER -p tcp -m tcp --sport 8080 -j CLASSIFY --set-class 0001:0004
    88   [6:360] -A THESHAPER -p tcp -m tcp --dport 8080 -j CLASSIFY --set-class 0001:0004
    89   [0:0] -A THESHAPER -p udp -m udp --sport 110 -j CLASSIFY --set-class 0001:0006
    90   [0:0] -A THESHAPER -p udp -m udp --dport 110 -j CLASSIFY --set-class 0001:0006
    91   [0:0] -A THESHAPER -p tcp -m tcp --sport 110 -j CLASSIFY --set-class 0001:0006
    92   [0:0] -A THESHAPER -p tcp -m tcp --dport 110 -j CLASSIFY --set-class 0001:0006
    93   [0:0] -A THESHAPER -p udp -m udp --sport 25 -j CLASSIFY --set-class 0001:0006
    94   [0:0] -A THESHAPER -p udp -m udp --dport 25 -j CLASSIFY --set-class 0001:0006
    95   [0:0] -A THESHAPER -p tcp -m tcp --sport 25 -j CLASSIFY --set-class 0001:0006
    96   [0:0] -A THESHAPER -p tcp -m tcp --dport 25 -j CLASSIFY --set-class 0001:0006
    97   [0:0] -A THESHAPER -p udp -m udp --sport 21 -j CLASSIFY --set-class 0001:0006
    98   [0:0] -A THESHAPER -p udp -m udp --dport 21 -j CLASSIFY --set-class 0001:0006
    99   [0:0] -A THESHAPER -p tcp -m tcp --sport 21 -j CLASSIFY --set-class 0001:0006
   100   [22:1420] -A THESHAPER -p tcp -m tcp --dport 21 -j CLASSIFY --set-class 0001:0006
   101   [0:0] -A THESHAPER -p udp -m udp --sport 143 -j CLASSIFY --set-class 0001:0006
   102   [0:0] -A THESHAPER -p udp -m udp --dport 143 -j CLASSIFY --set-class 0001:0006
   103   [0:0] -A THESHAPER -p tcp -m tcp --sport 143 -j CLASSIFY --set-class 0001:0006
   104   [0:0] -A THESHAPER -p tcp -m tcp --dport 143 -j CLASSIFY --set-class 0001:0006
   105   [0:0] -A THESHAPER -p udp -m udp --sport 445 -j CLASSIFY --set-class 0001:0006
   106   [0:0] -A THESHAPER -p udp -m udp --dport 445 -j CLASSIFY --set-class 0001:0006
   107   [0:0] -A THESHAPER -p tcp -m tcp --sport 445 -j CLASSIFY --set-class 0001:0006
   108   [0:0] -A THESHAPER -p tcp -m tcp --dport 445 -j CLASSIFY --set-class 0001:0006
   109   [0:0] -A THESHAPER -p udp -m udp --sport 137:139 -j CLASSIFY --set-class 0001:0006
   110   [0:0] -A THESHAPER -p udp -m udp --dport 137:139 -j CLASSIFY --set-class 0001:0006
   111   [0:0] -A THESHAPER -p tcp -m tcp --sport 137:139 -j CLASSIFY --set-class 0001:0006
   112   [0:0] -A THESHAPER -p tcp -m tcp --dport 137:139 -j CLASSIFY --set-class 0001:0006
   113   [0:0] -A THESHAPER -p udp -m udp --sport 4662 -j CLASSIFY --set-class 0001:0006
   114   [0:0] -A THESHAPER -p udp -m udp --dport 4662 -j CLASSIFY --set-class 0001:0006
   115   [0:0] -A THESHAPER -p tcp -m tcp --sport 4662 -j CLASSIFY --set-class 0001:0006
   116   [0:0] -A THESHAPER -p tcp -m tcp --dport 4662 -j CLASSIFY --set-class 0001:0006
   117   [0:0] -A THESHAPER -p udp -m udp --sport 4664 -j CLASSIFY --set-class 0001:0006
   118   [0:0] -A THESHAPER -p udp -m udp --dport 4664 -j CLASSIFY --set-class 0001:0006
   119   [0:0] -A THESHAPER -p tcp -m tcp --sport 4664 -j CLASSIFY --set-class 0001:0006
   120   [0:0] -A THESHAPER -p tcp -m tcp --dport 4664 -j CLASSIFY --set-class 0001:0006
   121   [2040:248328] -A THESHAPER -p udp -m udp --sport 6881:6999 -j CLASSIFY --set-class 0001:0006
   122   [48:5506] -A THESHAPER -p udp -m udp --dport 6881:6999 -j CLASSIFY --set-class 0001:0006
   123   [0:0] -A THESHAPER -p tcp -m tcp --sport 6881:6999 -j CLASSIFY --set-class 0001:0006
   124   [2876:184626] -A THESHAPER -p tcp -m tcp --dport 6881:6999 -j CLASSIFY --set-class 0001:0006
   125   [7716:1021547] -A THESHAPER -s 192.168.0.124/32 -j CLASSIFY --set-class 0001:0003
   126   [0:0] -A THESHAPER -d 192.168.0.124/32 -j CLASSIFY --set-class 0001:0003
   127   COMMIT
   128   # Completed on Thu Feb  2 21:58:25 2012
   129   # Generated by iptables-save v1.4.12.1 on Thu Feb  2 21:58:25 2012
   130   *filter
   131   :INPUT ACCEPT [3636:584155]
   132   :FORWARD DROP [14:4592]
   133   :OUTPUT ACCEPT [309876:510067666]
   134   [5068014:1894271762] -A INPUT -i br0 -j ACCEPT
   135   [514690:314770038] -A INPUT -s 127.0.0.0/8 -j ACCEPT
   136   [0:0] -A INPUT ! -i br0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
   137   [0:0] -A INPUT ! -i br0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
   138   [494696:99015054] -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
   139   [5531:276461] -A INPUT -p tcp -m tcp --dport 10000:20000 -j ACCEPT
   140   [36:17869] -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
   141   [0:0] -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT
   142   [18696:12118601] -A INPUT -p udp -m udp --dport 5080 -j ACCEPT
   143   [0:0] -A INPUT -p tcp -m tcp --dport 5080 -j ACCEPT
   144   [567:81467] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
   145   [398:21612] -A INPUT ! -i br0 -p tcp -m tcp --dport 0:1023 -j DROP
   146   [4:302] -A INPUT ! -i br0 -p udp -m udp --dport 0:1023 -j DROP
   147   [50:5452] -A FORWARD -d 192.168.0.0/16 -i br0 -j DROP
   148   [1711827:122814403] -A FORWARD -s 192.168.0.0/16 -i br0 -j ACCEPT
   149   [3137027:4441890997] -A FORWARD -d 192.168.0.0/16 -i ppp0 -j ACCEPT
   150   COMMIT
   151   # Completed on Thu Feb  2 21:58:25 2012

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  loopback/8           anywhere           
REJECT     udp  --  anywhere             anywhere             udp dpt:bootps reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere             udp dpt:domain reject-with icmp-port-unreachable
ACCEPT     udp  --  anywhere             anywhere             udp dpts:10000:20000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:10000:20000
ACCEPT     udp  --  anywhere             anywhere             udp dpt:5060
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5060
ACCEPT     udp  --  anywhere             anywhere             udp dpt:5080
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5080
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
DROP       tcp  --  anywhere             anywhere             tcp dpts:0:1023
DROP       udp  --  anywhere             anywhere             udp dpts:0:1023

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             192.168.0.0/16
ACCEPT     all  --  192.168.0.0/16       anywhere           
ACCEPT     all  --  anywhere             192.168.0.0/16     

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere



if you need more info please let me know, I thank you for your time and effort.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46376
Location: 56N 3W

PostPosted: Fri Feb 03, 2012 7:01 pm    Post subject: Reply with quote

mondjef,

This has to be wrong. You may not have two interfaces in the same subnet

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
xxx.xxx.xxx.xxx *               255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     *               255.255.255.0   U     0      0        0 br0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
loopback        rivermistbeast  255.0.0.0       UG    0      0        0 lo
default         xxx.xxx.xxx.xxx 0.0.0.0         UG    4006   0        0 ppp0


Code:
br0       Link encap:Ethernet  HWaddr 00:1b:21:3d:eb:49 
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
 
eth1      Link encap:Ethernet  HWaddr 00:24:1d:21:37:6e 
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0


Lets consider what happens to a packet the kernel wants to send to the 192.168.0.0/24 subnet.
It tries the rouring rules from the top of your routing table down until it gets a match. So anything sent to 192.168.0.0/24 is sent via br0.
No traffic ever goes out of eth1.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum