(KVM on Centos 7) Cannot ping to Guest or vice versa with single NIC Host

centos7kvm-virtualizationlibvirt

I have single NIC Host on Centos 7, which I want to make virtualization using KVM-Qemu.

HOST

The Host IP is

192.168.1.110 

and the interface is enp0s31f6

I have deleted the "default" NAT configuration from libvirt.

Then I created 2 interface from virt-manager, which is

virsh net-list

 Name                 State      Autostart     Persistent
----------------------------------------------------------
 ext                  active     yes           yes
 int                  active     yes           yes

virsh net-dumpxml ext

<network connections='1'>
  <name>ext</name>
  <uuid>99ea2f5d-8557-4141-9e90-0ac0619a6261</uuid>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr2' stp='on' delay='0'/>
  <mac address='52:54:00:41:32:d9'/>
  <domain name='ext'/>
  <ip address='172.16.2.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='172.16.2.128' end='172.16.2.254'/>
    </dhcp>
  </ip>
</network>

virsh net-dumpxml int

<network connections='2'>
  <name>int</name>
  <uuid>bcc129a2-0d06-4a44-903b-60181f7cbb48</uuid>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr3' stp='on' delay='0'/>
  <mac address='52:54:00:ef:7a:ee'/>
  <domain name='int'/>
  <ip address='10.1.1.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='10.1.1.128' end='10.1.1.254'/>
    </dhcp>
  </ip>
</network>

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 enp0s31f6
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 virbr3
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 enp0s31f6
172.16.2.0      0.0.0.0         255.255.255.0   U     0      0        0 virbr2
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 enp0s31f6

iptables -t nat -vnL

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       10.1.1.0/24          224.0.0.0/24        
    0     0 RETURN     all  --  *      *       10.1.1.0/24          255.255.255.255     
    0     0 MASQUERADE  tcp  --  *      *       10.1.1.0/24         !10.1.1.0/24          masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       10.1.1.0/24         !10.1.1.0/24          masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       10.1.1.0/24         !10.1.1.0/24         
    0     0 RETURN     all  --  *      *       172.16.2.0/24        224.0.0.0/24        
    0     0 RETURN     all  --  *      *       172.16.2.0/24        255.255.255.255     
    0     0 MASQUERADE  tcp  --  *      *       172.16.2.0/24       !172.16.2.0/24        masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       172.16.2.0/24       !172.16.2.0/24        masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       172.16.2.0/24       !172.16.2.0/24       
    0     0 RETURN     all  --  *      *       172.16.2.0/24        224.0.0.0/24        
    0     0 RETURN     all  --  *      *       172.16.2.0/24        255.255.255.255     
    0     0 MASQUERADE  tcp  --  *      *       172.16.2.0/24       !172.16.2.0/24        masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       172.16.2.0/24       !172.16.2.0/24        masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       172.16.2.0/24       !172.16.2.0/24       
    0     0 RETURN     all  --  *      *       10.1.1.0/24          224.0.0.0/24        
    0     0 RETURN     all  --  *      *       10.1.1.0/24          255.255.255.255     
    0     0 MASQUERADE  tcp  --  *      *       10.1.1.0/24         !10.1.1.0/24          masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       10.1.1.0/24         !10.1.1.0/24          masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       10.1.1.0/24         !10.1.1.0/24         
    0     0 MASQUERADE  all  --  *      enp0s31f6  0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      enp0s31f6  10.1.1.0/24          0.0.0.0/0           

iptables -vnL

Chain INPUT (policy ACCEPT 83 packets, 8441 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr3 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr3 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr3 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr3 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    0     0 ACCEPT     udp  --  virbr2 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr2 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr2 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr2 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    0     0 ACCEPT     udp  --  virbr2 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr2 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr2 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr2 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    0     0 ACCEPT     udp  --  virbr3 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr3 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr3 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr3 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
   41  5578 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      virbr3  0.0.0.0/0            10.1.1.0/24          ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr3 *       10.1.1.0/24          0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr3 virbr3  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr3  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr3 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      virbr2  0.0.0.0/0            172.16.2.0/24        ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr2 *       172.16.2.0/24        0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr2 virbr2  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr2  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr2 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      virbr2  0.0.0.0/0            172.16.2.0/24        ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr2 *       172.16.2.0/24        0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr2 virbr2  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr2  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr2 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      virbr3  0.0.0.0/0            10.1.1.0/24          ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr3 *       10.1.1.0/24          0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr3 virbr3  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr3  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr3 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-is-bridged
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
    0     0 ACCEPT     all  --  enp0s31f6 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      enp0s31f6  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 36 packets, 4389 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr3  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     udp  --  *      virbr2  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     udp  --  *      virbr2  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     udp  --  *      virbr3  0.0.0.0/0            0.0.0.0/0            udp dpt:68
   10   664 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0

GUEST

in Guest, I have 2 vm, vm1 attached with both int and ext interface, vm2 attached with int interface.

vm1

eth0 10.1.1.12/24
eth1 172.16.2.12/24 ( I left the dns column blank)

vm2

eth0 10.1.1.13/24

and I am using NetworkManager to manage the network.

The problem is

  1. vm2 won't connect to the outside world or ping other guest (vm1), even if I let the DHCP to assign the address. However, if I attached vm2 with 'ext' interface and let the DHCP to assign the IP, it can connect and ping to outside world. (this also happened in vm1)

  2. When I assign static IP to vm1 and vm2, the connection is stop.

  3. I have add the interface=int and try with interface=virbr0 also in /etc/dnsmasq.conf but still nothing happen.

Basically, my intention is that both ext and int can connect to the Internet, it is used for just function separation only.

Any help are appreciated.

Best Answer

Input and output tables are used for local processes on the host server. Virtual machines are not local processes.

In forward table move next line to the end of table:

REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Output table has many duplications and all rules and default permission allow all.

Related Topic