Page 1 of 1

KVM Guest cannot ping past host or access internet

Posted: 2014/11/26 13:53:05
by suityou01
I have been looking at this problem for over 6 weeks now off and on and have to now ask for help.

I have a Centos 7 host and I have installed KVM and am trying to install some Windows guests. My problem is that the guests cannot access the internet.
They can however resolve DNS queries so say for example using a wirehshark trace I can see the DNS query go and and come back with the response but then the ACK to set up the ICMP gets refused with "Destination Port Unreachable".

Some config for your perusal :

EM2 - Ethernet card

Code: Select all

DEVICE=em2
ONBOOT=yes
BRIDGE=br0
BR0

Code: Select all

DEVICE=br0
ONBOOT=yes
TYPE=Bridge
BOOTPROTO=none
IPADDR=192.168.0.5
GATEWAY=192.168.0.1
DNS1=192.168.0.5
STP=off
DELAY=0
NM_CONTROLLED=no
EOF
VIRBR0

Code: Select all

<network>
  <name>default</name>
  <uuid>cbf0e189-3a08-49a6-8f4e-c5017e3c4b64</uuid>
  <forward dev='em2' mode='nat'>
    <interface dev='em2'/>
  </forward>
  <bridge name='virbr0' stp='on' delay='0' />
  <mac address='52:54:00:46:14:84'/>
  <domain name='default'/>
  <ip address='192.168.100.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.100.128' end='192.168.100.254' />
    </dhcp>
  </ip>
</network>
ifconfig

Code: Select all

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.5  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::fabc:12ff:fe48:4728  prefixlen 64  scopeid 0x20<link>
        ether f8:bc:12:48:47:28  txqueuelen 0  (Ethernet)
        RX packets 3082  bytes 1195361 (1.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1772  bytes 250628 (244.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

em2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether f8:bc:12:48:47:28  txqueuelen 1000  (Ethernet)
        RX packets 3103  bytes 1252379 (1.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1790  bytes 261011 (254.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 17  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 16886  bytes 5884772 (5.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16886  bytes 5884772 (5.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.1  netmask 255.255.255.0  broadcast 192.168.100.255
        ether 52:54:00:46:14:84  txqueuelen 0  (Ethernet)
        RX packets 911  bytes 93303 (91.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 447  bytes 46925 (45.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fc54:ff:feea:2a37  prefixlen 64  scopeid 0x20<link>
        ether fe:54:00:ea:2a:37  txqueuelen 500  (Ethernet)
        RX packets 911  bytes 106057 (103.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1316  bytes 92345 (90.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
iptables -L -t nat

Code: Select all

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
PREROUTING_direct  all  --  anywhere             anywhere            
PREROUTING_ZONES_SOURCE  all  --  anywhere             anywhere            
PREROUTING_ZONES  all  --  anywhere             anywhere            

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  anywhere             anywhere            

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  tcp  --  192.168.100.0/24    !192.168.100.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.100.0/24    !192.168.100.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.100.0/24    !192.168.100.0/24    
POSTROUTING_direct  all  --  anywhere             anywhere            
POSTROUTING_ZONES_SOURCE  all  --  anywhere             anywhere            
POSTROUTING_ZONES  all  --  anywhere             anywhere            

Chain OUTPUT_direct (1 references)
target     prot opt source               destination         

Chain POSTROUTING_ZONES (1 references)
target     prot opt source               destination         
POST_public  all  --  anywhere             anywhere            [goto] 
POST_public  all  --  anywhere             anywhere            [goto] 
POST_public  all  --  anywhere             anywhere            [goto] 

Chain POSTROUTING_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain POSTROUTING_direct (1 references)
target     prot opt source               destination         

Chain POST_public (3 references)
target     prot opt source               destination         
POST_public_log  all  --  anywhere             anywhere            
POST_public_deny  all  --  anywhere             anywhere            
POST_public_allow  all  --  anywhere             anywhere            

Chain POST_public_allow (1 references)
target     prot opt source               destination         

Chain POST_public_deny (1 references)
target     prot opt source               destination         

Chain POST_public_log (1 references)
target     prot opt source               destination         

Chain PREROUTING_ZONES (1 references)
target     prot opt source               destination         
PRE_public  all  --  anywhere             anywhere            [goto] 
PRE_public  all  --  anywhere             anywhere            [goto] 
PRE_public  all  --  anywhere             anywhere            [goto] 

Chain PREROUTING_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain PREROUTING_direct (1 references)
target     prot opt source               destination         

Chain PRE_public (3 references)
target     prot opt source               destination         
PRE_public_log  all  --  anywhere             anywhere            
PRE_public_deny  all  --  anywhere             anywhere            
PRE_public_allow  all  --  anywhere             anywhere            

Chain PRE_public_allow (1 references)
target     prot opt source               destination         

Chain PRE_public_deny (1 references)
target     prot opt source               destination         

Chain PRE_public_log (1 references)
target     prot opt source               destination  
domain 0.000000000 192.168.100.189 192.168.100.1 DNS 70 Standard query 0x6eb0 A google.com
51044 0.022351000 192.168.100.1 192.168.100.189 DNS 246 Standard query response 0x6eb0 A 74.125.230.96 A 74.125.230.99 A 74.125.230.110 A 74.125.230.103 A 74.125.230.97 A 74.125.230.105 A 74.125.230.100 A 74.125.230.98 A 74.125.230.104 A 74.125.230.102 A 74.125.230.101
0.027297000 192.168.100.189 74.125.230.96 ICMP 74 Echo (ping) request id=0x0001, seq=14/3584, ttl=128
0.027341000 192.168.100.1 192.168.100.189 ICMP 102 Destination unreachable (Port unreachable)
So the Virtual bridge is returning destination unreachable.

sysctl net.ipv4.ip_forward

Code: Select all

net.ipv4.ip_forward = 1
So IP forwarding is configured.

Really not sure how to dig any deeper to find out where the problem lies. Can you guys help?

Re: KVM Guest cannot ping past host or access internet

Posted: 2014/11/26 14:06:41
by suityou01
Also this I found

iptables -L FORWARD -v

Code: Select all

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  em2    virbr0  anywhere             192.168.100.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 em2     192.168.100.0/24     anywhere            
    0     0 ACCEPT     all  --  virbr0 virbr0  anywhere             anywhere            
    0     0 REJECT     all  --  any    virbr0  anywhere             anywhere             reject-with icmp-port-unreachable
 [b] 276 14364 REJECT     all  --  virbr0 any     anywhere             anywhere             reject-with icmp-port-unreachable[/b]
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 FORWARD_direct  all  --  any    any     anywhere             anywhere            
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  any    any     anywhere             anywhere            
    0     0 FORWARD_IN_ZONES  all  --  any    any     anywhere             anywhere            
    0     0 FORWARD_OUT_ZONES_SOURCE  all  --  any    any     anywhere             anywhere            
    0     0 FORWARD_OUT_ZONES  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited
So it's clearly a firewall rule blocking this, but Libvirt puts the rules there in the first place as I understand it. The question is how to configure libvirt so it doesn't add firewall rules that block internet access to the guest.