Ubuntu
gnome-boxes package

Bug #1724441
Comment #14

Comment 14 for bug 1724441

Revision history for this message

Thomas Schweikle (tps) wrote on 2021-03-26:

#14

Same problem again: guests can resolve internet addresses, but are unable to access them:

# host google.com
google.com has address 172.217.20.238
google.com has IPv6 address 2a00:1450:4016:801::200e
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.

# ping google.com
PING google.com (172.217.20.238): 56 data bytes
^C
--- google.com ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

iptables is set as expected:
# iptables-save
# Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWX - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_INP -i virbr8 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr8 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr8 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr8 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_FWO -s 172.19.18.0/24 -i virbr8 -j ACCEPT
-A LIBVIRT_FWO -i virbr8 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 172.19.10.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 172.19.18.0/24 -o virbr8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr8 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 172.19.10.0/24 -o virbr0 -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr8 -o virbr8 -j ACCEPT
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Fri Mar 26 13:03:26 2021
# Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 172.19.18.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 172.19.18.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Mar 26 13:03:26 2021
# Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr8 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A LIBVIRT_PRT -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Mar 26 13:03:26 2021

IP-forwarding is enabled:
# cat /proc/sys/net/ipv4/ip_forward
1

but guests do not receive packets send back to them from servers. I am not absolutely sure if this is the error described here, but I think it is the same.

OS:
# uname -a
Linux ivory 5.8.0-48-generic #54-Ubuntu SMP Fri Mar 19 14:25:20 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.10
DISTRIB_CODENAME=groovy
DISTRIB_DESCRIPTION="Ubuntu 20.10"