I have a KVM host on 192.168.0.4 with a bridged network adapter for one guest running on 192.168.0.9 which has been connectable to/from the entire 192.168.0.0/24 network for weeks.
Now I've had to restart the host, and the guest vm restarted too but is no longer connectable to/from anywhere on the network except for the host machine.
I can connect to it from the host machine ssh username@192.168.0.9 and from the guest I can connect back to the host on IP 192.168.0.4, but nothing else is connectable.
I feel like there's some service missing I needed to restart after the host reboot to tell the network adapter to bridge connections outside. Or maybe that the docker network interfaces didn't initialize the firewall properly after reboot. But I don't know; what should I do?
thanks
Output from KVM host
brctl show
bridge name bridge id STP enabled interfaces br-238782ed063f 8000.0242e81a340a no br0 8000.7085c2060a8a no enp5s0 vnet0 docker0 8000.02427d14b9fa no virbr0 8000.52540044738a yes virbr0-nic
ifconfig -a
br0 Link encap:Ethernet HWaddr 70:85:c2:06:0a:8a inet addr:192.168.0.4 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::7285:c2ff:fe06:a8a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1527437 errors:0 dropped:0 overruns:0 frame:0 TX packets:1997661 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:151534896 (151.5 MB) TX bytes:1283893295 (1.2 GB) br-238782ed063f Link encap:Ethernet HWaddr 02:42:e8:1a:34:0a inet addr:172.18.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) docker0 Link encap:Ethernet HWaddr 02:42:7d:14:b9:fa inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) enp5s0 Link encap:Ethernet HWaddr 70:85:c2:06:0a:8a inet6 addr: fe80::7285:c2ff:fe06:a8a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1530168 errors:0 dropped:0 overruns:0 frame:0 TX packets:2147775 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:173382480 (173.3 MB) TX bytes:1293304788 (1.2 GB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:276 errors:0 dropped:0 overruns:0 frame:0 TX packets:276 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:18224 (18.2 KB) TX bytes:18224 (18.2 KB) virbr0 Link encap:Ethernet HWaddr 52:54:00:44:73:8a inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) virbr0-nic Link encap:Ethernet HWaddr 52:54:00:44:73:8a BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) vnet0 Link encap:Ethernet HWaddr fe:54:00:5b:f5:99 inet6 addr: fe80::fc54:ff:fe5b:f599/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15558 errors:0 dropped:0 overruns:0 frame:0 TX packets:20507 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1212123 (1.2 MB) TX bytes:1272954 (1.2 MB)
iptables -L -v -n
Chain INPUT (policy ACCEPT 1448K packets, 144M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 Chain FORWARD (policy DROP 30647 packets, 7648K bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 32553 8091K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 32553 8091K DOCKER-ISOLATION all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * br-238782ed063f 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * br-238782ed063f 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-238782ed063f !br-238782ed063f 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-238782ed063f br-238782ed063f 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 1919K packets, 1241M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68 Chain DOCKER (2 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- br-238782ed063f docker0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- docker0 br-238782ed063f 0.0.0.0/0 0.0.0.0/0 32553 8091K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 32553 8091K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Best Answer
The problem is in
iptables. TheFORWARDtable doesn't allow any traffic via thebr0interface and hasDROPdefault rule.To resolve the problem you need to clear all rules in the
FORWARDtable and assign defaultACCEPTpolicy on it: