Same problem again: guests can resolve internet addresses, but are unable to access them:
# host google.com
google.com has address 172.217.20.238
google.com has IPv6 address 2a00:1450:4016:801::200e
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
iptables is set as expected:
# iptables-save
# Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWX - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_INP -i virbr8 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr8 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr8 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr8 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_FWO -s 172.19.18.0/24 -i virbr8 -j ACCEPT
-A LIBVIRT_FWO -i virbr8 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 172.19.10.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 172.19.18.0/24 -o virbr8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr8 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 172.19.10.0/24 -o virbr0 -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr8 -o virbr8 -j ACCEPT
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Fri Mar 26 13:03:26 2021
# Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 172.19.18.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 172.19.18.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Mar 26 13:03:26 2021
# Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr8 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A LIBVIRT_PRT -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Mar 26 13:03:26 2021
IP-forwarding is enabled:
# cat /proc/sys/net/ipv4/ip_forward
1
but guests do not receive packets send back to them from servers. I am not absolutely sure if this is the error described here, but I think it is the same.
OS:
# uname -a
Linux ivory 5.8.0-48-generic #54-Ubuntu SMP Fri Mar 19 14:25:20 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Same problem again: guests can resolve internet addresses, but are unable to access them:
# host google.com 4016:801: :200e l.google. com. l.google. com. l.google. com. l.google. com.
google.com has address 172.217.20.238
google.com has IPv6 address 2a00:1450:
google.com mail is handled by 30 alt2.aspmx.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.
google.com mail is handled by 50 alt4.aspmx.
google.com mail is handled by 40 alt3.aspmx.
# ping google.com
PING google.com (172.217.20.238): 56 data bytes
^C
--- google.com ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
iptables is set as expected: unreachable unreachable unreachable unreachable unreachable unreachable
# iptables-save
# Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWX - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_INP -i virbr8 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr8 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr8 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr8 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_FWO -s 172.19.18.0/24 -i virbr8 -j ACCEPT
-A LIBVIRT_FWO -i virbr8 -j REJECT --reject-with icmp-port-
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-
-A LIBVIRT_FWO -s 172.19.10.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-
-A LIBVIRT_FWI -d 172.19.18.0/24 -o virbr8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr8 -j REJECT --reject-with icmp-port-
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-
-A LIBVIRT_FWI -d 172.19.10.0/24 -o virbr0 -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-
-A LIBVIRT_FWX -i virbr8 -o virbr8 -j ACCEPT
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Fri Mar 26 13:03:26 2021
# Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 172.19.18.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 172.19.18.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Mar 26 13:03:26 2021
# Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr8 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A LIBVIRT_PRT -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Mar 26 13:03:26 2021
IP-forwarding is enabled: net/ipv4/ ip_forward
# cat /proc/sys/
1
but guests do not receive packets send back to them from servers. I am not absolutely sure if this is the error described here, but I think it is the same.
OS:
# uname -a
Linux ivory 5.8.0-48-generic #54-Ubuntu SMP Fri Mar 19 14:25:20 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/lsb-release RELEASE= 20.10 CODENAME= groovy DESCRIPTION= "Ubuntu 20.10"
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_