0

For some reason, I'm unable to connect to my server inside a VM from the outside world, but I can definitely connect to my server from the hypervisor. The server application runs on ports 27500 and 27015. I'm a little inexperienced with iptables so it might be that I did something obvious wrong. Here's my iptables-save: 

[root@FW-H01 ~]# iptables-save
# Generated by iptables-save v1.8.4 on Fri Apr  3 21:34:51 2020
*mangle
:PREROUTING ACCEPT [10974504:113682765318]
:INPUT ACCEPT [9998403:109052061915]
:FORWARD ACCEPT [963508:4628352252]
:OUTPUT ACCEPT [11423761:2389165771]
:POSTROUTING ACCEPT [12387067:7017507319]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Apr  3 21:34:51 2020
# Generated by iptables-save v1.8.4 on Fri Apr  3 21:34:51 2020
*nat
:PREROUTING ACCEPT [7429:1219873]
:INPUT ACCEPT [1302:77639]
:OUTPUT ACCEPT [321:22443]
:POSTROUTING ACCEPT [321:22443]
:LIBVIRT_PRT - [0:0]
-A PREROUTING -d 116.202.163.214/32 -p tcp -m tcp --dport 27500 -j DNAT --to-destination 192.168.122.233:27500
-A PREROUTING -d 116.202.163.214/32 -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.122.233:27015
-A PREROUTING -d 116.202.163.214/32 -p udp -m udp --dport 27015 -j DNAT --to-destination 192.168.122.233:27015
-A PREROUTING -d 116.202.163.214/32 -p udp -m udp --dport 27500 -j DNAT --to-destination 192.168.122.233:27500
-A POSTROUTING -j LIBVIRT_PRT
-A POSTROUTING -s 192.168.122.233/32 -p tcp -m tcp --sport 27500 -j SNAT --to-source 116.202.163.214
-A POSTROUTING -s 192.168.122.233/32 -p tcp -m tcp --sport 27015 -j SNAT --to-source 116.202.163.214
-A POSTROUTING -s 192.168.122.233/32 -p udp -m udp --sport 27015 -j SNAT --to-source 116.202.163.214
-A POSTROUTING -s 192.168.122.233/32 -p udp -m udp --sport 27500 -j SNAT --to-source 116.202.163.214
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Apr  3 21:34:51 2020
# Generated by iptables-save v1.8.4 on Fri Apr  3 21:34:51 2020
*filter
:INPUT ACCEPT [173397:141627735]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [164473:257858146]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A FORWARD -d 192.168.122.233/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 27500 -j ACCEPT
-A FORWARD -d 192.168.122.233/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 27015 -j ACCEPT
-A FORWARD -d 192.168.122.233/32 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 27015 -j ACCEPT
-A FORWARD -d 192.168.122.233/32 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 27500 -j ACCEPT
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Fri Apr  3 21:34:51 2020

Can anyone see anything out of order? Note that the majority of the rules are generated by libvirtd, and I'm unsure if there's any broken interactions between that and my rules, or if perhaps I'm supposed to do this thing completely differently if I'm using a libvirtd NAT setup. Let me know if I need to add additional info. Any thoughts very welcome, I've been stuck trying to fix this for hours Thanks ahead!

Alex
  • 369
  • 5
  • 22

1 Answers1

1

The problem here comes from the following chains :

-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable

They are added by libvirtd according to the network config in libvirt, if forward mode is set to "nat".

One possible solution is to change the mode into "open", be careful because you have to manually add forward rules by doing this.

# virsh net-edit default

<network>
  <name>default</name>
  <uuid>......</uuid>
  <forward mode='open'/>
   .............
Stuggi
  • 3,366
  • 4
  • 17
  • 34
madago
  • 26
  • 2
  • Oh, thank you! I hadn't noticed this yet, and I'm currently not able to test this, but it actually makes a lot of sense, I'll give this a test as soon as I can! I'll mark it as correct answer for now because it seems like it would fix the issue, if it doesn't I'll come back :P Thanks! <3 – Alex Dec 04 '20 at 22:35