[fedora-virt] Routing only works in one direction + tcpdump
Philip Rhoades
phil at pricom.com.au
Fri Sep 23 17:27:09 UTC 2011
Rich,
On 2011-09-24 03:00, Philip Rhoades wrote:
> Rich,
>
>
> On 2011-09-24 02:23, Richard W.M. Jones wrote:
>> On Sat, Sep 24, 2011 at 02:13:57AM +1000, Philip Rhoades wrote:
>>> Rich,
>>>
>>>
>>> On 2011-09-24 00:13, Richard W.M. Jones wrote:
>>> >On Fri, Sep 23, 2011 at 12:43:12AM +1000, Philip Rhoades wrote:
>>> >>People,
>>> >>
>>> >>I have been installing virtual machines for a while on a Fedora
>>> 14
>>> >>x86_64 system (the most recent one was F16 Alpha i686) and I
>>> >>have always
>>> >>managed to be able to test what I wanted to but ssh-ing from the
>>> >>host to
>>> >>the virtual machines has never worked (it always works the other
>>> way
>>> >>around). I get:
>>> >>
>>> >> ssh: connect to host 192.168.122.139 port 22: No route to host
>>> >>
>>> >>ifconfig shows:
>>> >>
>>> >> virbr0 Link encap:Ethernet HWaddr FE:54:00:9F:96:2F
>>> >> inet addr:192.168.122.1 Bcast:192.168.122.255
>>> >>Mask:255.255.255.0
>>> >>
>>> >>route shows:
>>> >>
>>> >> 192.168.122.0 * 255.255.255.0 U 0 0
>>> >>0 virbr0
>>> >>
>>> >>so why the error message?
>>> >
>>> >There's not enough information here to answer the question,
>>>
>>>
>>> What other info is needed?
>>
>> I'd want to see the *full* output from:
>>
>> - ifconfig -a
>
>
> eth0 Link encap:Ethernet HWaddr 00:1C:C0:FA:85:E6
> inet addr:10.1.1.10 Bcast:10.1.1.255 Mask:255.255.255.0
> inet6 addr: fe80::21c:c0ff:fefa:85e6/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:4184 errors:0 dropped:0 overruns:0 frame:0
> TX packets:4297 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:2345423 (2.2 MiB) TX bytes:649997 (634.7 KiB)
> Interrupt:20 Memory:d0600000-d0620000
>
> eth1 Link encap:Ethernet HWaddr 00:1F:11:01:25:AE
> inet addr:192.168.0.200 Bcast:192.168.0.255
> Mask:255.255.255.0
> inet6 addr: fe80::21f:11ff:fe01:25ae/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:0 (0.0 b) TX bytes:5749 (5.6 KiB)
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:21009 errors:0 dropped:0 overruns:0 frame:0
> TX packets:21009 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:4079213 (3.8 MiB) TX bytes:4079213 (3.8 MiB)
>
> virbr0 Link encap:Ethernet HWaddr FE:54:00:83:C5:2A
> inet addr:192.168.122.1 Bcast:192.168.122.255
> Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:27 errors:0 dropped:0 overruns:0 frame:0
> TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:5164 (5.0 KiB) TX bytes:5199 (5.0 KiB)
>
> vnet0 Link encap:Ethernet HWaddr FE:54:00:83:C5:2A
> inet6 addr: fe80::fc54:ff:fe83:c52a/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:29 errors:0 dropped:0 overruns:0 frame:0
> TX packets:78 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:500
> RX bytes:5722 (5.5 KiB) TX bytes:5292 (5.1 KiB)
>
>
>
>> - netstat -rn
>
>
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window
> irtt Iface
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth1
> 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth0
> 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0
> 0 virbr0
> 0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0
> 0 eth0
>
>
>
>> - iptables -L -n
>
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> dpt:53
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpt:53
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> dpt:67
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpt:67
> block all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> ACCEPT tcp -- 149.171.173.169 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 203.166.81.114 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 203.206.181.78 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 180.189.137.63 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 59.167.251.17 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 144.136.70.171 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 65.99.230.42 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 203.84.234.5 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 12.45.85.174 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 27.33.171.236 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 24.62.160.127 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 10.1.1.0/24 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 192.168.122.0/24 0.0.0.0/0 tcp
> dpt:22
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,ESTABLISHED tcp dpt:25 flags:
> 0x17/0x02
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,ESTABLISHED tcp dpt:53 flags:
> 0x17/0x02
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,ESTABLISHED tcp dpt:80
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,ESTABLISHED tcp dpt:8080
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,ESTABLISHED tcp dpt:443
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,ESTABLISHED tcp dpt:465
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,ESTABLISHED tcp dpt:993
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,ESTABLISHED tcp dpt:2049
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,ESTABLISHED tcp dpt:2401
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,ESTABLISHED tcp dpt:3128 flag
> s:0x17/0x02
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,ESTABLISHED tcp dpt:5900 flag
> s:0x17/0x02
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,ESTABLISHED tcp dpt:5901 flag
> s:0x17/0x02
> ACCEPT udp -- 149.171.173.169 0.0.0.0/0 udp
> spt:53
> ACCEPT udp -- 203.166.81.114 0.0.0.0/0 udp
> spt:53
> ACCEPT udp -- 203.206.181.78 0.0.0.0/0 udp
> dpt:53
> ACCEPT udp -- 180.189.137.63 0.0.0.0/0 udp
> spt:53
> ACCEPT udp -- 59.167.251.17 0.0.0.0/0 udp
> spt:53
> ACCEPT udp -- 58.172.176.250 0.0.0.0/0 udp
> spt:53
> ACCEPT udp -- 203.84.234.5 0.0.0.0/0 udp
> spt:53
> ACCEPT udp -- 12.45.85.174 0.0.0.0/0 udp
> spt:53
> ACCEPT udp -- 10.1.1.0/24 0.0.0.0/0 udp
> spt:53
> ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp
> spt:53
> ACCEPT udp -- 192.168.1.0/24 0.0.0.0/0 udp
> spt:53
> ACCEPT udp -- 192.168.122.0/24 0.0.0.0/0 udp
> spt:53
> REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x17/0x02 reject-with icmp-po
> rt-unreachable
> REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> reject-with icmp-port-unreachable
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state
> RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> REJECT all -- 0.0.0.0/0 0.0.0.0/0
> reject-with icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0
> reject-with icmp-port-unreachable
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,RELATED,ESTABLISHED
>
> Chain block (1 references)
> target prot opt source destination
> REJECT tcp -- 61.115.230.182 0.0.0.0/0 tcp
> reject-with icmp-port-unreachable
> REJECT udp -- 61.115.230.182 0.0.0.0/0 udp
> reject-with icmp-port-unreachable
> REJECT tcp -- 80.31.213.120 0.0.0.0/0 tcp
> reject-with icmp-port-unreachable
> REJECT udp -- 80.31.213.120 0.0.0.0/0 udp
> reject-with icmp-port-unreachable
> REJECT tcp -- 89.97.225.114 0.0.0.0/0 tcp
> reject-with icmp-port-unreachable
> REJECT udp -- 89.97.225.114 0.0.0.0/0 udp
> reject-with icmp-port-unreachable
> REJECT tcp -- 209.239.43.72 0.0.0.0/0 tcp
> reject-with icmp-port-unreachable
> REJECT udp -- 209.239.43.72 0.0.0.0/0 udp
> reject-with icmp-port-unreachable
> REJECT tcp -- 239.255.255.250 0.0.0.0/0 tcp
> reject-with icmp-port-unreachable
> REJECT udp -- 239.255.255.250 0.0.0.0/0 udp
> reject-with icmp-port-unreachable
> REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> source IP range 213.198.1.1-213.198
> .255.255 reject-with icmp-port-unreachable
> REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> source IP range 213.198.1.1-213.198
> .255.255 reject-with icmp-port-unreachable
>
>
>> - brctl show
>
>
> bridge name bridge id STP enabled interfaces
> virbr0 8000.fe540083c52a yes vnet0
>
>
>> Plus maybe try tcpdump'ing the connection?
>
>
> eth0 ?
On virbr0:
03:24:11.874464 IP 192.168.122.1.46164 > 192.168.122.139.ssh: Flags
[S], seq 2639287357, win 5840, options [mss 1460,sackOK,TS val 1640487
ecr 0,nop,wscale 7], length 0
03:24:11.874749 IP 192.168.122.139 > 192.168.122.1: ICMP host
192.168.122.139 unreachable - admin prohibited, length 68
03:24:16.877911 ARP, Request who-has 192.168.122.1 tell
192.168.122.139, length 28
03:24:16.877933 ARP, Reply 192.168.122.1 is-at fe:54:00:83:c5:2a (oui
Unknown), length 28
03:24:18.490805 IP 0.0.0.0 > all-systems.mcast.net: igmp query v2
03:24:18.490807 IP6 truncated-ip6 - 8160 bytes missing!:: > ff02::1:
HBH ICMP6, multicast listener queryv2 [gaddr ::[|icmp6], length 8184
Thanks,
Phil.
--
Philip Rhoades
GPO Box 3411
Sydney NSW 2001
Australia
E-mail: phil at pricom.com.au
More information about the virt
mailing list