Hi all,
I’m having further difficulties with my KVM guest and networking. This is getting rather frustrating! I’ve spent a number of hours on it today with no success, so I’m hoping someone will lend a hand.
In this case I am trying to set up an Apache web server in the guest, which is working fine. I say this because the host can load the welcome page correctly. However, I cannot get to it from outside the host. I can get to Apache running on the host from outside, but not the guest.
Looking in to it further, I don’t see any traffic coming in to the guest on port 80 with tcpdump. This led me to believe again that the routing is not working correctly. I reviewed the setup in iptables, and it looks fine to me.
I even tried numerous times to set up some more specific routing, in order to do things like redirect the traffic to port 8080 etc. but I cannot see the traffic in the guest, and cannot get a page from the web server.
I’m not really sure what to do at this point, because things appear to be set up correctly to me and I cannot find any errors logged. With that said, I’m not familiar with libvirt at all, and networking is not my strong suit, so I may be missing something simple. I’ve read numerous posts online how to set this up, but they all talk about using iptables to route the traffic, which has already been done.
Here is what libvirt sets up for iptables:
Chain INPUT (policy ACCEPT)
target prot opt source destination
LIBVIRT_INP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LIBVIRT_OUT all -- anywhere anywhere
Chain LIBVIRT_FWI (1 references)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain LIBVIRT_FWO (1 references)
target prot opt source destination
ACCEPT all -- 192.168.122.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain LIBVIRT_INP (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:bootpc
Here is the nat table from libvirt:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
LIBVIRT_PRT all -- anywhere anywhere
Chain LIBVIRT_PRT (1 references)
target prot opt source destination
RETURN all -- 192.168.122.0/24 base-address.mcast.net/24
RETURN all -- 192.168.122.0/24 255.255.255.255
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 0-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 0-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24