Routing only works in one direction

List overview All Threads
Download

newer

older

virtio-win 0.1.15 iso missing...

Re: [fedora-virt] [Xen-devel] Re:...

Philip Rhoades

23 Sep 2011 23 Sep '11

12:43 a.m.

People,

I have been installing virtual machines for a while on a Fedora 14 x86_64 system (the most recent one was F16 Alpha i686) and I have always managed to be able to test what I wanted to but ssh-ing from the host to the virtual machines has never worked (it always works the other way around). I get:

ssh: connect to host 192.168.122.139 port 22: No route to host

ifconfig shows:

virbr0 Link encap:Ethernet HWaddr FE:54:00:9F:96:2F inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0

route shows:

192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0

so why the error message?

Thanks,

Phil.

-- Philip Rhoades GPO Box 3411 Sydney NSW 2001 Australia E-mail: phil@pricom.com.au

Show replies by date

Richard W.M. Jones

24 Sep 24 Sep

12:13 a.m.

On Fri, Sep 23, 2011 at 12:43:12AM +1000, Philip Rhoades wrote:

...

People,

I have been installing virtual machines for a while on a Fedora 14 x86_64 system (the most recent one was F16 Alpha i686) and I have always managed to be able to test what I wanted to but ssh-ing from the host to the virtual machines has never worked (it always works the other way around). I get:

ssh: connect to host 192.168.122.139 port 22: No route to host

ifconfig shows:

virbr0 Link encap:Ethernet HWaddr FE:54:00:9F:96:2F inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0

route shows:

192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0

so why the error message?

There's not enough information here to answer the question, but I would hazard a guess that the problem is because you've overwritten libvirtd's own firewall rules. A well-known way of overwriting them is to restart the firewall after libvirtd has started.

Rich.

-- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://et.redhat.com/~rjones/virt-df/

Philip Rhoades

2:13 a.m.

Rich,

On 2011-09-24 00:13, Richard W.M. Jones wrote:

...

On Fri, Sep 23, 2011 at 12:43:12AM +1000, Philip Rhoades wrote:

...
People,

I have been installing virtual machines for a while on a Fedora 14 x86_64 system (the most recent one was F16 Alpha i686) and I have always managed to be able to test what I wanted to but ssh-ing from the host to the virtual machines has never worked (it always works the other way around). I get:

ssh: connect to host 192.168.122.139 port 22: No route to host

ifconfig shows:

virbr0 Link encap:Ethernet HWaddr FE:54:00:9F:96:2F inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0

route shows:

192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0

so why the error message?

There's not enough information here to answer the question,

What other info is needed?

...

but I would hazard a guess that the problem is because you've overwritten libvirtd's own firewall rules. A well-known way of overwriting them is to restart the firewall after libvirtd has started.

I do occasionally manually restart iptables - so I rebooted just in case - I see processes:

1656 ? Sl 0:04 libvirtd --daemon 1725 ? S 0:00 /usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/default.pid --conf-file= --listen-address 192.168.122.1 --except-interface lo --dhcp-range 192.168.122.2,192.168.122.254 --dhcp-lease-max=253 3311 ? Sl 0:38 /usr/bin/qemu-kvm -S -M pc-0.13 -enable-kvm -m 768 -smp 1,sockets=1,cores=1,threads=1 -name vf16_fresh -uuid a7a33c9f-19c2-10e2-b656-2a0121cbfd22 -nodefconfig -nodefaults -chardev socket,id=monitor,path=/var/lib/libvirt/qemu/vf16_fresh.monitor,server,nowait -mon chardev=monitor,mode=readline -rtc base=utc -boot c -drive file=/home/vf16_fresh.img,if=none,id=drive-ide0-0-0,boot=on,format=raw -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -drive if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw -device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -device rtl8139,vlan=0,id=net0,mac=52:54:00:83:c5:2a,bus=pci.0,addr=0x3 -net tap,fd=39,vlan=0,name=hostnet0 -chardev pty,id=serial0 -device isa-serial,chardev=serial0 -usb -vnc 127.0.0.1:0 -vga cirrus -device AC97,id=sound0,bus=pci.0,addr=0x4 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 6932 pts/23 S+ 0:00 grep --color=auto libvirt

- but I still get the same error message ("No route to host") when trying to ssh TO the virtual machine . .

Thanks,

Phil.

-- Philip Rhoades GPO Box 3411 Sydney NSW 2001 Australia E-mail: phil@pricom.com.au

Richard W.M. Jones

2:23 a.m.

On Sat, Sep 24, 2011 at 02:13:57AM +1000, Philip Rhoades wrote:

...

Rich,

On 2011-09-24 00:13, Richard W.M. Jones wrote:

...
On Fri, Sep 23, 2011 at 12:43:12AM +1000, Philip Rhoades wrote:

...
People,

I have been installing virtual machines for a while on a Fedora 14 x86_64 system (the most recent one was F16 Alpha i686) and I have always managed to be able to test what I wanted to but ssh-ing from the host to the virtual machines has never worked (it always works the other way around). I get:

ssh: connect to host 192.168.122.139 port 22: No route to host

ifconfig shows:

virbr0 Link encap:Ethernet HWaddr FE:54:00:9F:96:2F inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0

route shows:

192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0

so why the error message?

There's not enough information here to answer the question,

What other info is needed?

I'd want to see the *full* output from:

- ifconfig -a

- netstat -rn

- iptables -L -n

- brctl show

Plus maybe try tcpdump'ing the connection?

...

...
but I would hazard a guess that the problem is because you've overwritten libvirtd's own firewall rules. A well-known way of overwriting them is to restart the firewall after libvirtd has started.

I do occasionally manually restart iptables - so I rebooted just in case - I see processes:

[...]

The iptables output should help here because it will tell you if the libvirt rules are still there.

Rich.

-- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming blog: http://rwmj.wordpress.com Fedora now supports 80 OCaml packages (the OPEN alternative to F#) http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora

Philip Rhoades

3 a.m.

Rich,

On 2011-09-24 02:23, Richard W.M. Jones wrote:

...

On Sat, Sep 24, 2011 at 02:13:57AM +1000, Philip Rhoades wrote:

...
Rich,

On 2011-09-24 00:13, Richard W.M. Jones wrote:

...
On Fri, Sep 23, 2011 at 12:43:12AM +1000, Philip Rhoades wrote:

...
People,

I have been installing virtual machines for a while on a Fedora 14 x86_64 system (the most recent one was F16 Alpha i686) and I have always managed to be able to test what I wanted to but ssh-ing from the host to the virtual machines has never worked (it always works the other

way

...
...
around). I get:

ssh: connect to host 192.168.122.139 port 22: No route to host

ifconfig shows:

virbr0 Link encap:Ethernet HWaddr FE:54:00:9F:96:2F inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0

route shows:

192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0

so why the error message?

There's not enough information here to answer the question,

What other info is needed?

I'd want to see the *full* output from:

ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:1C:C0:FA:85:E6 inet addr:10.1.1.10 Bcast:10.1.1.255 Mask:255.255.255.0 inet6 addr: fe80::21c:c0ff:fefa:85e6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4184 errors:0 dropped:0 overruns:0 frame:0 TX packets:4297 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2345423 (2.2 MiB) TX bytes:649997 (634.7 KiB) Interrupt:20 Memory:d0600000-d0620000

eth1 Link encap:Ethernet HWaddr 00:1F:11:01:25:AE inet addr:192.168.0.200 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::21f:11ff:fe01:25ae/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:29 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:5749 (5.6 KiB)

lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:21009 errors:0 dropped:0 overruns:0 frame:0 TX packets:21009 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4079213 (3.8 MiB) TX bytes:4079213 (3.8 MiB)

virbr0 Link encap:Ethernet HWaddr FE:54:00:83:C5:2A inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:27 errors:0 dropped:0 overruns:0 frame:0 TX packets:22 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:5164 (5.0 KiB) TX bytes:5199 (5.0 KiB)

vnet0 Link encap:Ethernet HWaddr FE:54:00:83:C5:2A inet6 addr: fe80::fc54:ff:fe83:c52a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29 errors:0 dropped:0 overruns:0 frame:0 TX packets:78 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:5722 (5.5 KiB) TX bytes:5292 (5.1 KiB)

...

netstat -rn

Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 eth0

...

iptables -L -n

Chain INPUT (policy DROP) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 block all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 149.171.173.169 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 203.166.81.114 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 203.206.181.78 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 180.189.137.63 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 59.167.251.17 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 144.136.70.171 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 65.99.230.42 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 203.84.234.5 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 12.45.85.174 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 27.33.171.236 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 24.62.160.127 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 10.1.1.0/24 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 192.168.122.0/24 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:25 flags: 0x17/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:53 flags: 0x17/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:8080 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:465 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:2049 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:2401 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:3128 flag s:0x17/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:5900 flag s:0x17/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:5901 flag s:0x17/0x02 ACCEPT udp -- 149.171.173.169 0.0.0.0/0 udp spt:53 ACCEPT udp -- 203.166.81.114 0.0.0.0/0 udp spt:53 ACCEPT udp -- 203.206.181.78 0.0.0.0/0 udp dpt:53 ACCEPT udp -- 180.189.137.63 0.0.0.0/0 udp spt:53 ACCEPT udp -- 59.167.251.17 0.0.0.0/0 udp spt:53 ACCEPT udp -- 58.172.176.250 0.0.0.0/0 udp spt:53 ACCEPT udp -- 203.84.234.5 0.0.0.0/0 udp spt:53 ACCEPT udp -- 12.45.85.174 0.0.0.0/0 udp spt:53 ACCEPT udp -- 10.1.1.0/24 0.0.0.0/0 udp spt:53 ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp spt:53 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp spt:53 ACCEPT udp -- 192.168.122.0/24 0.0.0.0/0 udp spt:53 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 reject-with icmp-po rt-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

Chain block (1 references) target prot opt source destination REJECT tcp -- 61.115.230.182 0.0.0.0/0 tcp reject-with icmp-port-unreachable REJECT udp -- 61.115.230.182 0.0.0.0/0 udp reject-with icmp-port-unreachable REJECT tcp -- 80.31.213.120 0.0.0.0/0 tcp reject-with icmp-port-unreachable REJECT udp -- 80.31.213.120 0.0.0.0/0 udp reject-with icmp-port-unreachable REJECT tcp -- 89.97.225.114 0.0.0.0/0 tcp reject-with icmp-port-unreachable REJECT udp -- 89.97.225.114 0.0.0.0/0 udp reject-with icmp-port-unreachable REJECT tcp -- 209.239.43.72 0.0.0.0/0 tcp reject-with icmp-port-unreachable REJECT udp -- 209.239.43.72 0.0.0.0/0 udp reject-with icmp-port-unreachable REJECT tcp -- 239.255.255.250 0.0.0.0/0 tcp reject-with icmp-port-unreachable REJECT udp -- 239.255.255.250 0.0.0.0/0 udp reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp source IP range 213.198.1.1-213.198 .255.255 reject-with icmp-port-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp source IP range 213.198.1.1-213.198 .255.255 reject-with icmp-port-unreachable

...

brctl show

bridge name bridge id STP enabled interfaces virbr0 8000.fe540083c52a yes vnet0

...

Plus maybe try tcpdump'ing the connection?

eth0 ?

Thanks,

Phil.

-- Philip Rhoades GPO Box 3411 Sydney NSW 2001 Australia E-mail: phil@pricom.com.au

Richard W.M. Jones

3:17 a.m.

On Sat, Sep 24, 2011 at 03:00:13AM +1000, Philip Rhoades wrote: [...]

Interfaces and firewall rules all look fine to me. You can check them against the description here:

http://libvirt.org/firewall.html

...

...
Plus maybe try tcpdump'ing the connection?

eth0 ?

Wherever the packets are going, but I'd expect them to end up on virbr0.

Some other things to check:

$ cat /proc/sys/net/ipv4/ip_forward 1

$ grep bridge /etc/sysctl.conf # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0

(Not sure if this is necessary, but see: https://bugzilla.redhat.com/show_bug.cgi?id=512206 )

Rich.

-- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into Xen guests. http://et.redhat.com/~rjones/virt-p2v

Philip Rhoades

3:30 a.m.

Rich,

On 2011-09-24 03:17, Richard W.M. Jones wrote:

...

On Sat, Sep 24, 2011 at 03:00:13AM +1000, Philip Rhoades wrote: [...]

Interfaces and firewall rules all look fine to me. You can check them against the description here:

http://libvirt.org/firewall.html

Will have a look . .

...

...
...
Plus maybe try tcpdump'ing the connection?

eth0 ?

Wherever the packets are going, but I'd expect them to end up on virbr0.

See other post before I received this one.

...

Some other things to check:

$ cat /proc/sys/net/ipv4/ip_forward 1

True.

...

$ grep bridge /etc/sysctl.conf # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0

True.

...

(Not sure if this is necessary, but see: https://bugzilla.redhat.com/show_bug.cgi?id=512206 )

OK, thanks.

Regards,

Phil.

-- Philip Rhoades GPO Box 3411 Sydney NSW 2001 Australia E-mail: phil@pricom.com.au

Richard W.M. Jones

3:42 a.m.

Another thought I had: is the *guest* running libvirtd?

There used to be a bug that we started libvirtd in the guest, which created its own 192.168.122/24 network, which royally messed up routing to that guest.

Rich.

Philip Rhoades

3:49 a.m.

Rich,

On 2011-09-24 03:42, Richard W.M. Jones wrote:

...

Another thought I had: is the *guest* running libvirtd?

There used to be a bug that we started libvirtd in the guest, which created its own 192.168.122/24 network, which royally messed up routing to that guest.

libvirtd not running on guest - but http://libvirt.org/firewall.html looks promising so I will work my way through that.

Many thanks!

Regards,

Phil.

-- Philip Rhoades GPO Box 3411 Sydney NSW 2001 Australia E-mail: phil@pricom.com.au

Philip Rhoades

6:17 a.m.

New subject: Routing only works in one direction - SOLVED

Rich,

On 2011-09-24 03:49, Philip Rhoades wrote:

...

Rich,

On 2011-09-24 03:42, Richard W.M. Jones wrote:

...
Another thought I had: is the *guest* running libvirtd?

There used to be a bug that we started libvirtd in the guest, which created its own 192.168.122/24 network, which royally messed up routing to that guest.

libvirtd not running on guest - but http://libvirt.org/firewall.html looks promising so I will work my way through that.

I finally found that stopping the firewall on the client changed the error message on the host from:

"No route to host"

to:

"Connection refused"

then I realised I hadn't restarted sshd on the client but the original problem was the firewall on the client so I have set that up properly now and it is likely that the rules at:

http://libvirt.org/firewall.html

are not necessary for a default F16 setup.

BTW, you were right about restarting iptables upsetting libvirtd/dnsmasq . .

Regards,

Phil.

-- Philip Rhoades GPO Box 3411 Sydney NSW 2001 Australia E-mail: phil@pricom.com.au

Philip Rhoades

3:27 a.m.

New subject: Routing only works in one direction + tcpdump

Rich,

On 2011-09-24 03:00, Philip Rhoades wrote:

...

Rich,

On 2011-09-24 02:23, Richard W.M. Jones wrote:

...
On Sat, Sep 24, 2011 at 02:13:57AM +1000, Philip Rhoades wrote:

...
Rich,

On 2011-09-24 00:13, Richard W.M. Jones wrote:

...
On Fri, Sep 23, 2011 at 12:43:12AM +1000, Philip Rhoades wrote:

...
People,

I have been installing virtual machines for a while on a Fedora

14

...
...
x86_64 system (the most recent one was F16 Alpha i686) and I have always managed to be able to test what I wanted to but ssh-ing from the host to the virtual machines has never worked (it always works the other

way

...
...
around). I get:

ssh: connect to host 192.168.122.139 port 22: No route to host

ifconfig shows:

virbr0 Link encap:Ethernet HWaddr FE:54:00:9F:96:2F inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0

route shows:

192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0

so why the error message?

There's not enough information here to answer the question,

What other info is needed?

I'd want to see the *full* output from:

ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:1C:C0:FA:85:E6 inet addr:10.1.1.10 Bcast:10.1.1.255 Mask:255.255.255.0 inet6 addr: fe80::21c:c0ff:fefa:85e6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4184 errors:0 dropped:0 overruns:0 frame:0 TX packets:4297 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2345423 (2.2 MiB) TX bytes:649997 (634.7 KiB) Interrupt:20 Memory:d0600000-d0620000

eth1 Link encap:Ethernet HWaddr 00:1F:11:01:25:AE inet addr:192.168.0.200 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::21f:11ff:fe01:25ae/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:29 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:5749 (5.6 KiB)

lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:21009 errors:0 dropped:0 overruns:0 frame:0 TX packets:21009 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4079213 (3.8 MiB) TX bytes:4079213 (3.8 MiB)

virbr0 Link encap:Ethernet HWaddr FE:54:00:83:C5:2A inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:27 errors:0 dropped:0 overruns:0 frame:0 TX packets:22 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:5164 (5.0 KiB) TX bytes:5199 (5.0 KiB)

vnet0 Link encap:Ethernet HWaddr FE:54:00:83:C5:2A inet6 addr: fe80::fc54:ff:fe83:c52a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29 errors:0 dropped:0 overruns:0 frame:0 TX packets:78 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:5722 (5.5 KiB) TX bytes:5292 (5.1 KiB)

...

netstat -rn

Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 eth0

...

iptables -L -n

Chain INPUT (policy DROP) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 block all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 149.171.173.169 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 203.166.81.114 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 203.206.181.78 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 180.189.137.63 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 59.167.251.17 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 144.136.70.171 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 65.99.230.42 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 203.84.234.5 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 12.45.85.174 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 27.33.171.236 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 24.62.160.127 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 10.1.1.0/24 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 192.168.122.0/24 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:25 flags: 0x17/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:53 flags: 0x17/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:8080 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:465 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:2049 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:2401 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:3128 flag s:0x17/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:5900 flag s:0x17/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:5901 flag s:0x17/0x02 ACCEPT udp -- 149.171.173.169 0.0.0.0/0 udp spt:53 ACCEPT udp -- 203.166.81.114 0.0.0.0/0 udp spt:53 ACCEPT udp -- 203.206.181.78 0.0.0.0/0 udp dpt:53 ACCEPT udp -- 180.189.137.63 0.0.0.0/0 udp spt:53 ACCEPT udp -- 59.167.251.17 0.0.0.0/0 udp spt:53 ACCEPT udp -- 58.172.176.250 0.0.0.0/0 udp spt:53 ACCEPT udp -- 203.84.234.5 0.0.0.0/0 udp spt:53 ACCEPT udp -- 12.45.85.174 0.0.0.0/0 udp spt:53 ACCEPT udp -- 10.1.1.0/24 0.0.0.0/0 udp spt:53 ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp spt:53 ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp spt:53 ACCEPT udp -- 192.168.122.0/24 0.0.0.0/0 udp spt:53 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 reject-with icmp-po rt-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

Chain block (1 references) target prot opt source destination REJECT tcp -- 61.115.230.182 0.0.0.0/0 tcp reject-with icmp-port-unreachable REJECT udp -- 61.115.230.182 0.0.0.0/0 udp reject-with icmp-port-unreachable REJECT tcp -- 80.31.213.120 0.0.0.0/0 tcp reject-with icmp-port-unreachable REJECT udp -- 80.31.213.120 0.0.0.0/0 udp reject-with icmp-port-unreachable REJECT tcp -- 89.97.225.114 0.0.0.0/0 tcp reject-with icmp-port-unreachable REJECT udp -- 89.97.225.114 0.0.0.0/0 udp reject-with icmp-port-unreachable REJECT tcp -- 209.239.43.72 0.0.0.0/0 tcp reject-with icmp-port-unreachable REJECT udp -- 209.239.43.72 0.0.0.0/0 udp reject-with icmp-port-unreachable REJECT tcp -- 239.255.255.250 0.0.0.0/0 tcp reject-with icmp-port-unreachable REJECT udp -- 239.255.255.250 0.0.0.0/0 udp reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp source IP range 213.198.1.1-213.198 .255.255 reject-with icmp-port-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp source IP range 213.198.1.1-213.198 .255.255 reject-with icmp-port-unreachable

...

brctl show

bridge name bridge id STP enabled interfaces virbr0 8000.fe540083c52a yes vnet0

...
Plus maybe try tcpdump'ing the connection?

eth0 ?

On virbr0:

03:24:11.874464 IP 192.168.122.1.46164 > 192.168.122.139.ssh: Flags [S], seq 2639287357, win 5840, options [mss 1460,sackOK,TS val 1640487 ecr 0,nop,wscale 7], length 0 03:24:11.874749 IP 192.168.122.139 > 192.168.122.1: ICMP host 192.168.122.139 unreachable - admin prohibited, length 68 03:24:16.877911 ARP, Request who-has 192.168.122.1 tell 192.168.122.139, length 28 03:24:16.877933 ARP, Reply 192.168.122.1 is-at fe:54:00:83:c5:2a (oui Unknown), length 28 03:24:18.490805 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2 03:24:18.490807 IP6 truncated-ip6 - 8160 bytes missing!:: > ff02::1: HBH ICMP6, multicast listener queryv2 [gaddr ::[|icmp6], length 8184

Thanks,

Phil.

-- Philip Rhoades GPO Box 3411 Sydney NSW 2001 Australia E-mail: phil@pricom.com.au

5259

Age (days ago)

5260

Last active (days ago)

virt@lists.fedoraproject.org

10 comments

2 participants

tags (0)

participants (2)

Philip Rhoades
Richard W.M. Jones