Same problem again: guests can resolve internet addresses, but are unable to access them: # host google.com google.com has address 172.217.20.238 google.com has IPv6 address 2a00:1450:4016:801::200e google.com mail is handled by 30 alt2.aspmx.l.google.com. google.com mail is handled by 10 aspmx.l.google.com. google.com mail is handled by 20 alt1.aspmx.l.google.com. google.com mail is handled by 50 alt4.aspmx.l.google.com. google.com mail is handled by 40 alt3.aspmx.l.google.com. # ping google.com PING google.com (172.217.20.238): 56 data bytes ^C --- google.com ping statistics --- 4 packets transmitted, 0 packets received, 100.0% packet loss iptables is set as expected: # iptables-save # Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :LIBVIRT_INP - [0:0] :LIBVIRT_OUT - [0:0] :LIBVIRT_FWO - [0:0] :LIBVIRT_FWI - [0:0] :LIBVIRT_FWX - [0:0] -A INPUT -j LIBVIRT_INP -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A OUTPUT -j LIBVIRT_OUT -A LIBVIRT_INP -i virbr8 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr8 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr8 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr8 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_OUT -o virbr8 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virbr8 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virbr8 -p udp -m udp --dport 68 -j ACCEPT -A LIBVIRT_OUT -o virbr8 -p tcp -m tcp --dport 68 -j ACCEPT -A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT -A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT -A LIBVIRT_FWO -s 172.19.18.0/24 -i virbr8 -j ACCEPT -A LIBVIRT_FWO -i virbr8 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -s 172.19.10.0/24 -i virbr0 -j ACCEPT -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWI -d 172.19.18.0/24 -o virbr8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A LIBVIRT_FWI -o virbr8 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWI -d 172.19.10.0/24 -o virbr0 -j ACCEPT -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWX -i virbr8 -o virbr8 -j ACCEPT -A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT COMMIT # Completed on Fri Mar 26 13:03:26 2021 # Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :LIBVIRT_PRT - [0:0] -A POSTROUTING -j LIBVIRT_PRT -A LIBVIRT_PRT -s 172.19.18.0/24 -d 224.0.0.0/24 -j RETURN -A LIBVIRT_PRT -s 172.19.18.0/24 -d 255.255.255.255/32 -j RETURN -A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -j MASQUERADE COMMIT # Completed on Fri Mar 26 13:03:26 2021 # Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :LIBVIRT_PRT - [0:0] -A POSTROUTING -j LIBVIRT_PRT -A LIBVIRT_PRT -o virbr8 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A LIBVIRT_PRT -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT # Completed on Fri Mar 26 13:03:26 2021 IP-forwarding is enabled: # cat /proc/sys/net/ipv4/ip_forward 1 but guests do not receive packets send back to them from servers. I am not absolutely sure if this is the error described here, but I think it is the same. OS: # uname -a Linux ivory 5.8.0-48-generic #54-Ubuntu SMP Fri Mar 19 14:25:20 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=20.10 DISTRIB_CODENAME=groovy DISTRIB_DESCRIPTION="Ubuntu 20.10"