Re: [CentOS] Host Machine and Iptables problem
On 05/01/2012 08:46 AM, Tait Clarridge wrote: > > On Tue, 2012-05-01 at 02:08 -0500, Cbulist wrote: >> On 05/01/2012 02:03 AM, Barry Brimer wrote: Yes, I thought the same but my confusion is that I don't see any rules of PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file. [root@VS01]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT But when I check the command iptables -L -t nat I can see the NAT rules [root@VS01]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE tcp -- 192.168.122.0/24!192.168.122.0/24masq ports: 1024-65535 MASQUERADE udp -- 192.168.122.0/24!192.168.122.0/24masq ports: 1024-65535 MASQUERADE all -- 192.168.122.0/24!192.168.122.0/24 MASQUERADE tcp -- 192.168.100.0/24!192.168.100.0/24masq ports: 1024-65535 MASQUERADE udp -- 192.168.100.0/24!192.168.100.0/24masq ports: 1024-65535 MASQUERADE all -- 192.168.100.0/24!192.168.100.0/24 Chain OUTPUT (policy ACCEPT) target prot opt source destination am I missing something? >>> Maybe .. do you have IPv4 forwarding enabled? What is the output of >>> "cat /proc/sys/net/ipv4/ip_forward" ?? If it is 0, then edit >>> /etc/sysctl.conf .. find net.ipv4.ip_forward .. set it to 1 and then run >>> (as root) sysctl -p >>> >> In the Host machine the ip_forward is 1 > If you restart libvirtd it should add in the IPTABLES rules you are > missing. > Hi Tait, Thanks for share your point!...It worked and explained what was happened. For everyone that is looking for more information about it I left this link: http://libvirt.org/firewall.html Thanks again! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Host Machine and Iptables problem
On Tue, 2012-05-01 at 02:08 -0500, Cbulist wrote: > On 05/01/2012 02:03 AM, Barry Brimer wrote: > >> Yes, I thought the same but my confusion is that I don't see any rules of > >> PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file. > >> > >> [root@VS01]# cat /etc/sysconfig/iptables > >> # Firewall configuration written by system-config-firewall > >> # Manual customization of this file is not recommended. > >> *filter > >> :INPUT ACCEPT [0:0] > >> :FORWARD ACCEPT [0:0] > >> :OUTPUT ACCEPT [0:0] > >> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > >> -A INPUT -p icmp -j ACCEPT > >> -A INPUT -i lo -j ACCEPT > >> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT > >> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT > >> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j > >> ACCEPT > >> -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT > >> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT > >> -A INPUT -j REJECT --reject-with icmp-host-prohibited > >> -A FORWARD -j REJECT --reject-with icmp-host-prohibited > >> COMMIT > >> > >> > >> But when I check the command iptables -L -t nat I can see the NAT rules > >> > >> [root@VS01]# iptables -L -t nat > >> Chain PREROUTING (policy ACCEPT) > >> target prot opt source destination > >> > >> Chain POSTROUTING (policy ACCEPT) > >> target prot opt source destination > >> MASQUERADE tcp -- 192.168.122.0/24!192.168.122.0/24masq ports: > >> 1024-65535 > >> MASQUERADE udp -- 192.168.122.0/24!192.168.122.0/24masq ports: > >> 1024-65535 > >> MASQUERADE all -- 192.168.122.0/24!192.168.122.0/24 > >> MASQUERADE tcp -- 192.168.100.0/24!192.168.100.0/24masq ports: > >> 1024-65535 > >> MASQUERADE udp -- 192.168.100.0/24!192.168.100.0/24masq ports: > >> 1024-65535 > >> MASQUERADE all -- 192.168.100.0/24!192.168.100.0/24 > >> > >> Chain OUTPUT (policy ACCEPT) > >> target prot opt source destination > >> > >> am I missing something? > > Maybe .. do you have IPv4 forwarding enabled? What is the output of > > "cat /proc/sys/net/ipv4/ip_forward" ?? If it is 0, then edit > > /etc/sysctl.conf .. find net.ipv4.ip_forward .. set it to 1 and then run > > (as root) sysctl -p > > > In the Host machine the ip_forward is 1 If you restart libvirtd it should add in the IPTABLES rules you are missing. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Host Machine and Iptables problem
>> Thanks Barry, >> >> Yes, I thought the same but my confusion is that I don't see any rules >> of PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file. >> >> [root@VS01]# cat /etc/sysconfig/iptables >> # Firewall configuration written by system-config-firewall >> # Manual customization of this file is not recommended. >> *filter >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> -A INPUT -p icmp -j ACCEPT >> -A INPUT -i lo -j ACCEPT >> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT >> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT >> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 >> -j ACCEPT >> -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT >> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT >> -A INPUT -j REJECT --reject-with icmp-host-prohibited >> -A FORWARD -j REJECT --reject-with icmp-host-prohibited >> COMMIT >> >> >> But when I check the command iptables -L -t nat I can see the NAT rules >> >> [root@VS01]# iptables -L -t nat >> Chain PREROUTING (policy ACCEPT) >> target prot opt source destination >> >> Chain POSTROUTING (policy ACCEPT) >> target prot opt source destination >> MASQUERADE tcp -- 192.168.122.0/24!192.168.122.0/24masq >> ports: 1024-65535 >> MASQUERADE udp -- 192.168.122.0/24!192.168.122.0/24masq >> ports: 1024-65535 >> MASQUERADE all -- 192.168.122.0/24!192.168.122.0/24 >> MASQUERADE tcp -- 192.168.100.0/24!192.168.100.0/24masq >> ports: 1024-65535 >> MASQUERADE udp -- 192.168.100.0/24!192.168.100.0/24masq >> ports: 1024-65535 >> MASQUERADE all -- 192.168.100.0/24!192.168.100.0/24 >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> am I missing something? >> > It is possible that VM hypervisor (you failed to say which one) is > adding iptables rules at runtime, only while VM guest is running. When > you stop iptables, those rules are purged, and after the restart of > iptables service it does not have necessary rules. > > Compare /etc/sysconfig/iptables while all works and after you stop iptables. > You can also try restarting VM guests and even VM hypervisor. > > Hi Ljubomir, Thanks for your help. The hypervisor is KVM. The iptables before and after stop iptables are exactly the same. Restarting the VM after run: service iptables start didn't works. The only way is restarting the host machine...any idea? Thanks in advance! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Host Machine and Iptables problem
On 05/01/2012 08:45 AM, Cbulist wrote: > On 05/01/2012 01:27 AM, Barry Brimer wrote: >>> After that I stopped the Iptables on the Host machine and I lost >>> external connectivity on my VM's. >>> The only way that I found that VM machine works again is restarting the >>> Host Machine. (Start Iptables service again on the Host didn't work) >>> >>> I'm using CentOS 6.2: 2.6.32-220.7.1.el6.x86_64 >>> The host's iptables is the default, I didn't add anything. >>> Why the Iptables is stopping the connectivity of VM when I stop it? >> >> If you don't have NAT rules in your firewall .. internal VM traffic >> that is not bridged won't get NATed and therefore can't reach the >> parent network. > Thanks Barry, > > Yes, I thought the same but my confusion is that I don't see any rules > of PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file. > > [root@VS01]# cat /etc/sysconfig/iptables > # Firewall configuration written by system-config-firewall > # Manual customization of this file is not recommended. > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 > -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT > -A INPUT -j REJECT --reject-with icmp-host-prohibited > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > COMMIT > > > But when I check the command iptables -L -t nat I can see the NAT rules > > [root@VS01]# iptables -L -t nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > MASQUERADE tcp -- 192.168.122.0/24!192.168.122.0/24masq > ports: 1024-65535 > MASQUERADE udp -- 192.168.122.0/24!192.168.122.0/24masq > ports: 1024-65535 > MASQUERADE all -- 192.168.122.0/24!192.168.122.0/24 > MASQUERADE tcp -- 192.168.100.0/24!192.168.100.0/24masq > ports: 1024-65535 > MASQUERADE udp -- 192.168.100.0/24!192.168.100.0/24masq > ports: 1024-65535 > MASQUERADE all -- 192.168.100.0/24!192.168.100.0/24 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > am I missing something? > It is possible that VM hypervisor (you failed to say which one) is adding iptables rules at runtime, only while VM guest is running. When you stop iptables, those rules are purged, and after the restart of iptables service it does not have necessary rules. Compare /etc/sysconfig/iptables while all works and after you stop iptables. You can also try restarting VM guests and even VM hypervisor. -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Host Machine and Iptables problem
On 05/01/2012 02:03 AM, Barry Brimer wrote: >> Yes, I thought the same but my confusion is that I don't see any rules of >> PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file. >> >> [root@VS01]# cat /etc/sysconfig/iptables >> # Firewall configuration written by system-config-firewall >> # Manual customization of this file is not recommended. >> *filter >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> -A INPUT -p icmp -j ACCEPT >> -A INPUT -i lo -j ACCEPT >> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT >> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT >> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j >> ACCEPT >> -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT >> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT >> -A INPUT -j REJECT --reject-with icmp-host-prohibited >> -A FORWARD -j REJECT --reject-with icmp-host-prohibited >> COMMIT >> >> >> But when I check the command iptables -L -t nat I can see the NAT rules >> >> [root@VS01]# iptables -L -t nat >> Chain PREROUTING (policy ACCEPT) >> target prot opt source destination >> >> Chain POSTROUTING (policy ACCEPT) >> target prot opt source destination >> MASQUERADE tcp -- 192.168.122.0/24!192.168.122.0/24masq ports: >> 1024-65535 >> MASQUERADE udp -- 192.168.122.0/24!192.168.122.0/24masq ports: >> 1024-65535 >> MASQUERADE all -- 192.168.122.0/24!192.168.122.0/24 >> MASQUERADE tcp -- 192.168.100.0/24!192.168.100.0/24masq ports: >> 1024-65535 >> MASQUERADE udp -- 192.168.100.0/24!192.168.100.0/24masq ports: >> 1024-65535 >> MASQUERADE all -- 192.168.100.0/24!192.168.100.0/24 >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> am I missing something? > Maybe .. do you have IPv4 forwarding enabled? What is the output of > "cat /proc/sys/net/ipv4/ip_forward" ?? If it is 0, then edit > /etc/sysctl.conf .. find net.ipv4.ip_forward .. set it to 1 and then run > (as root) sysctl -p > In the Host machine the ip_forward is 1 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Host Machine and Iptables problem
> Yes, I thought the same but my confusion is that I don't see any rules of > PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file. > > [root@VS01]# cat /etc/sysconfig/iptables > # Firewall configuration written by system-config-firewall > # Manual customization of this file is not recommended. > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j > ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT > -A INPUT -j REJECT --reject-with icmp-host-prohibited > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > COMMIT > > > But when I check the command iptables -L -t nat I can see the NAT rules > > [root@VS01]# iptables -L -t nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > MASQUERADE tcp -- 192.168.122.0/24!192.168.122.0/24masq ports: > 1024-65535 > MASQUERADE udp -- 192.168.122.0/24!192.168.122.0/24masq ports: > 1024-65535 > MASQUERADE all -- 192.168.122.0/24!192.168.122.0/24 > MASQUERADE tcp -- 192.168.100.0/24!192.168.100.0/24masq ports: > 1024-65535 > MASQUERADE udp -- 192.168.100.0/24!192.168.100.0/24masq ports: > 1024-65535 > MASQUERADE all -- 192.168.100.0/24!192.168.100.0/24 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > am I missing something? Maybe .. do you have IPv4 forwarding enabled? What is the output of "cat /proc/sys/net/ipv4/ip_forward" ?? If it is 0, then edit /etc/sysctl.conf .. find net.ipv4.ip_forward .. set it to 1 and then run (as root) sysctl -p ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Host Machine and Iptables problem
On 05/01/2012 01:27 AM, Barry Brimer wrote: >> After that I stopped the Iptables on the Host machine and I lost >> external connectivity on my VM's. >> The only way that I found that VM machine works again is restarting the >> Host Machine. (Start Iptables service again on the Host didn't work) >> >> I'm using CentOS 6.2: 2.6.32-220.7.1.el6.x86_64 >> The host's iptables is the default, I didn't add anything. >> Why the Iptables is stopping the connectivity of VM when I stop it? > > If you don't have NAT rules in your firewall .. internal VM traffic > that is not bridged won't get NATed and therefore can't reach the > parent network. Thanks Barry, Yes, I thought the same but my confusion is that I don't see any rules of PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file. [root@VS01]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT But when I check the command iptables -L -t nat I can see the NAT rules [root@VS01]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE tcp -- 192.168.122.0/24!192.168.122.0/24masq ports: 1024-65535 MASQUERADE udp -- 192.168.122.0/24!192.168.122.0/24masq ports: 1024-65535 MASQUERADE all -- 192.168.122.0/24!192.168.122.0/24 MASQUERADE tcp -- 192.168.100.0/24!192.168.100.0/24masq ports: 1024-65535 MASQUERADE udp -- 192.168.100.0/24!192.168.100.0/24masq ports: 1024-65535 MASQUERADE all -- 192.168.100.0/24!192.168.100.0/24 Chain OUTPUT (policy ACCEPT) target prot opt source destination am I missing something? Thanks! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Host Machine and Iptables problem
> After that I stopped the Iptables on the Host machine and I lost > external connectivity on my VM's. > The only way that I found that VM machine works again is restarting the > Host Machine. (Start Iptables service again on the Host didn't work) > > I'm using CentOS 6.2: 2.6.32-220.7.1.el6.x86_64 > The host's iptables is the default, I didn't add anything. > Why the Iptables is stopping the connectivity of VM when I stop it? If you don't have NAT rules in your firewall .. internal VM traffic that is not bridged won't get NATed and therefore can't reach the parent network. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos