i run a dedicated ubuntu 10.04 server.
i use kvm/libvirt/virsh to run a virtual machine that's also ubuntu 10.04.
i bridged the network (1 of 2 IPs is routed via NAT to the LAN, where my VM (192.168.1.111) picks it up.
i can locally connect to the vm via ssh from the vm i can ping any site outside my network.
i routed port 80 (and others) through using iptables and i can connect from the outside to my apache on the vm .
yet, apt is not working at all, which kills me because i can't install anything…
$ apt-get update
leads to a series of errors like this:
W: Failed to fetch http://de.archive.ubuntu.com/ubuntu/dists/lucid-backports/multiverse/binary-amd64/Packages.gz Unable to connect to de.archive.ubuntu.com:http: [IP: 141.30.13.30 80]
i can ping the domain and ip from the terminal without a problem.
i can resolveip the domain without a problem.
i tried all /etc/apt/sources.list variations i found on the net. the one working from my dedicated machine, the default list, several hand-compiled lists. the result is always the same: unable to connect
I think it is some kind of a routing problem, but i am really puzzled, because i seem to have full network access from the vm. As the packages are not installed i can't wget or ftp from the vm terminal (and i can't compile them as no gcc is installed – i wanted to do all that using apt 😉 ). oh, aptitude is the same of course…
HELP!
P.S. here are my iptables settings:
iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 86 packets, 14254 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- any any anywhere anywhere tcp dpt:https to:192.168.1.111:443
0 0 DNAT tcp -- any any anywhere anywhere tcp dpt:ftp to:192.168.1.111:21
13 780 DNAT tcp -- any any anywhere anywhere tcp dpt:www to:192.168.1.111:80
Chain POSTROUTING (policy ACCEPT 31 packets, 2236 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE tcp -- any any 192.168.1.0/24 !192.168.1.0/24 masq ports: 1024-65535
1 76 MASQUERADE udp -- any any 192.168.1.0/24 !192.168.1.0/24 masq ports: 1024-65535
1 84 MASQUERADE all -- any any 192.168.1.0/24 !192.168.1.0/24
iptables -L -v
Chain INPUT (policy ACCEPT 1699 packets, 354K bytes)
pkts bytes target prot opt in out source destination
18 1179 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:domain
2 656 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:bootps
0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2448 3146K ACCEPT all -- any any anywhere 192.168.1.0/24 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- any virbr0 anywhere 192.168.1.0/24 state RELATED,ESTABLISHED
1448 79657 ACCEPT all -- virbr0 any 192.168.1.0/24 anywhere
0 0 ACCEPT all -- virbr0 virbr0 anywhere anywhere
0 0 REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable
@g-bach
okay, below are the filter rules (iptables -L -v -t filter).
about the architecture: host with 2 ips mapped to eth0 and eth1.
eth1 is bridget for libvirt. and should route/masq to different VMs (usually we have no overlapping ports open for the VMs – at least not below 1024).
after playing around a bit more I can specify the problem a bit better:
it's the firewall (iptables) rules. I obviously don't get how to setup iptables (never did that before).
When I played around with them wildly, I got different things to work, others not (connections to ubuntu servers worked, no incoming connections worked anymore, etc.).
Hence, you were right and the bridge etc is okay. About the pinging and connecting from the VM to the outside: it's not working with wget and ssh/telnet . there is an initial connection, but I then no data is sent (i routed 20, 21 and 22 through) . also – e.g. i can install apache and wordpress in the VM and connect to it from the outside, but then wordpress can't establish a ftp connection to fetch updates etc.
iptables -L -v -t filter
Chain INPUT (policy ACCEPT 19574 packets, 7015K bytes)
pkts bytes target prot opt in out source destination
27 1757 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:domain
43 14104 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:bootps
0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1850 119K ACCEPT all -- any any anywhere 192.168.1.0/24 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- any virbr0 anywhere 192.168.1.0/24 state RELATED,ESTABLISHED
1538 308K ACCEPT all -- virbr0 any 192.168.1.0/24 anywhere
0 0 ACCEPT all -- virbr0 virbr0 anywhere anywhere
0 0 REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 5787 packets, 635K bytes)
pkts bytes target prot opt in out source destination
thanks for your efforts!
Best Answer
Since you can ping sites from the VM, routing can't be the problem - at least I don't see how it could. Could you maybe post the iptables for the filter-table? Maybe there's a problem with forwarding outgoing new connections over specific ports.
Just to make sure I understood correctly what topology you are using: you have a physical Ubuntu 10.04 server with two IPs, on that server you run a VM which has one interface that is bridged to one of the interfaces of the server? I think I got something wrong here, doesn't quite match up your description...
On another note, is it intentional INPUT and OUTPUT have their policies set to ACCEPT and additionally a bunch of rules that also jump to ACCEPT? I don't see how that could affect your problem, I'm just curious :P