4

I have Ubuntu 14.04 (64 bits) + KVM Host with 2 NICs:
- eth0 connected to the "public" network
- eth1 connected to the br0 bridge with a private ip address range

From Host I can access internet, ping VM Guest and connect to it via SSH.
From VM Guest I can only ping Host, but cannot access Internet and cannot ping google.com

Please help me with connecting VM Guest to the internet in the setup described below:

On Host:

/etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address 192.168.2.60
  netmask 255.255.255.0
  gateway 192.168.2.254
  dns-nameservers 8.8.8.8

auto eth1
iface eth1 inet manual

auto br0
iface br0 inet static
  address 10.0.0.1
  netmask 255.255.255.0
  bridge_ports    eth1
  bridge_stp      off
  bridge_maxwait  0
  bridge_fd       0

 # Create and destroy the bridge automatically.
pre-up brctl addbr br0
ip link set dev br0 up
post-up /usr/sbin/brctl setfd br0 0 addif br0 eth1
post-down brctl delbr br0

KVM Network is defined as:

<network>
<name>br0-net</name>
<uuid>9d24b473-0b4d-4cfa-8b12-7bf267d856ae</uuid>
<forward mode='bridge'/>
<bridge name='br0'/>
</network>

# sysctl -p /etc/sysctl.conf

 net.ipv4.ip_forward = 1
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0

# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.2.254   0.0.0.0         UG    0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

# iptables -t nat -vnL

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

On VM Guest:

/etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address 10.0.0.11
  netmask 255.255.255.0

Guest xml is defined as

<interface type='bridge'>
<mac address='52:54:00:6b:93:69'/>
<source bridge='br0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</interface>

# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0

# iptables -t nat -vnL

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Ping KVM Host from Guest does work for 10.0.0.1 and 192.168.2.60:

$ ping 10.0.0.1

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.555 ms

$ ping 192.168.2.60

PING 192.168.2.60 (192.168.2.60) 56(84) bytes of data.
64 bytes from 192.168.2.60: icmp_seq=1 ttl=64 time=0.772 ms

Ping a different computer 192.168.2.3 from Guest does not work:

--- 192.168.2.3 ping statistics ---
277 packets transmitted, 0 received, 100% packet loss, time 276399ms

Ping google.com from Guest does not work:

ping: unknown host google.com
Daniel
  • 43
  • 1
  • 1
  • 4

1 Answers1

3

I think you are missing a iptable rule for the masquerade

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
c4f4t0r
  • 5,149
  • 3
  • 28
  • 41
  • This results in: iptables: No chain/target/match by that name. – Daniel Aug 15 '14 at 22:15
  • that was a typo, i fixed the command – c4f4t0r Aug 15 '14 at 22:24
  • I have precisely the same issue as the OP. However, I do not understand -- is this command on the guests or on the host? What does that iptable rule do? Is there an equivalent in `ufw`? Thanks! – Dave Oct 22 '14 at 01:37