0

I am running libvirt/qemu-kvm on Fedora32, guest OS is win10 with spice-guest-tool in use.

I use 'nat' mode virtual networking.

root@fedora ~]# virsh net-dumpxml default
<network connections='1'>
  <name>default</name>
  <uuid>36ca4070-160a-47bf-b35e-aa7bee028ec1</uuid>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:e1:1e:c3'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
    </dhcp>
  </ip>
</network>

While guest is running, 'brctl show' seems fine.

[root@fedora ~]# brctl show
bridge name bridge id       STP enabled interfaces
virbr0      8000.525400e11ec3   yes     virbr0-nic
                                        vnet0

On host I can ping guest by its ip (192.168.122.159).

On guest, I can access internet, also can ssh to my host, but failed to access samba and ftp on my host.

For example, I type 'net view \192.168.122.1' on guest, host 'tcpdump -i vnet0' shows:

15:47:39.041395 IP 192.168.122.159.49717 > fedora.bear.microsoft-ds: Flags [S], seq 160880283, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:47:39.041526 IP fedora.bear > 192.168.122.159: ICMP fedora.bear tcp port microsoft-ds unreachable, length 60

And 'net view' eventually reports 'System error 53: network path not found'. I also checked 'iptables -L -v' (too verbose to paste here), no one got 'REJECT'ed.

In case of 'ftp', it is similar to 'samba'.

15:54:13.232366 IP 192.168.122.159.49721 > fedora.bear.ftp: Flags [S], seq 669575524, win 8192, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
15:54:13.232468 IP fedora.bear > 192.168.122.159: ICMP fedora.bear tcp port ftp unreachable, length 60

It seems that host can not send package back to guest.

Am I missing something? What could be the cause? Thanks.

================= some further information ==========================

I can samba to my host from other machine in same lan. I also built a CentOS guest, and can ssh from host to CentOS guest. But while I tried to 'sbmclient' or 'ftp' from CentOS guest to host, I got same tcpdump output and failed. I am sure on both guest, firewall are turned off.

I checked 'iptables -L -nv ' and 'iptables -L -nv -t nat' on host, no packet got 'REJECT'ed or 'DROP'ed.

They looks like this:

# iptables -L -nv
Chain INPUT (policy ACCEPT 44448 packets, 26M bytes)
 pkts bytes target     prot opt in     out     source               destination         
56062   39M LIBVIRT_INP  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
19164   23M LIBVIRT_FWX  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
19164   23M LIBVIRT_FWI  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 9254 1076K LIBVIRT_FWO  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 16104 packets, 2140K bytes)
 pkts bytes target     prot opt in     out     source               destination         
24639 3195K LIBVIRT_OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_FWI (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 9910   22M ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 9254 1076K ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_INP (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   84  5753 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    7  2356 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain LIBVIRT_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    7  2335 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:68

and

# iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 3487 packets, 3421K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 2495 packets, 3341K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 238 packets, 27046 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 227 packets, 24846 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1560  169K LIBVIRT_PRT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_PRT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9  1010 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
   84  4472 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
  144 14416 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24
grizzlybears
  • 51
  • 4
  • Your tcpdump indicates that the connection was refused. Go through all of the answers in the linked post to determine why that happened. – Michael Hampton Jul 01 '20 at 15:04
  • Sorry I deleted your previous comment by miss, I did checked that post :) Thank you for your kindness. I performed some further investigation. I can samba to my host from other machine in same lan. I also built a CentOS guest, and can ssh from host to CentOS guest. But while I tried to 'sbmclient' or 'ftp' from CentOS guest to host, I got same tcpdump output and failed. I am sure on both guest, firewall are turned off. – grizzlybears Jul 02 '20 at 01:46
  • Now I suspect that iptable rule on host could be the problem. But I checked 'iptables -L -nv ' and 'iptables -L -nv -t nat', no packet got 'REJECT'ed or 'DROP'ed. Would you mind to take a glimpse my iptable (it is long dued to libvirtd), or any other hint? – grizzlybears Jul 02 '20 at 01:47

0 Answers0