I am running libvirt/qemu-kvm on Fedora32, guest OS is CentOS7.
I use ‘nat’ mode virtual networking.
root@fedora ~)# virsh net-dumpxml default
<network connections='1'>
<name>default</name>
<uuid>36ca4070-160a-47bf-b35e-aa7bee028ec1</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:e1:1e:c3'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
On host I can ssh to guest by its ip (192.168.122.230).
On guest, I can access internet, also can ssh to my host,
but failed to access samba and ftp on my host.
For example, I type ‘smbclient -L ‘192.168.122.1’‘ on guest,
host ‘tcpdump -i vnet0‘ shows:
10:03:00.267931 IP 192.168.122.230.57754 > 192.168.122.1.microsoft-ds: Flags (S), seq 1417555984, win 29200, options (mss 1460,sackOK,TS val 4294755489 ecr 0,nop,wscale 7), length 0
10:03:00.267977 IP 192.168.122.1 > 192.168.122.230: ICMP 192.168.122.1 tcp port microsoft-ds unreachable, length 68
10:03:00.273271 IP 192.168.122.230.39152 > 192.168.122.1.netbios-ssn: Flags (S), seq 2454440184, win 29200, options (mss 1460,sackOK,TS val 4294755494 ecr 0,nop,wscale 7), length 0
10:03:00.273290 IP 192.168.122.1 > 192.168.122.230: ICMP 192.168.122.1 tcp port netbios-ssn unreachable, length 68
And ‘smbclient’ eventually reports ‘* do_connect: Connection to 192.168.122.1 failed (Error NT_STATUS_CONNECTION_REFUSED)*’.
In case of ‘ftp’, it is similar to ‘samba’.
0:06:11.030486 IP 192.168.122.230.44748 > 192.168.122.1.ftp: Flags (S), seq 4205484033, win 29200, options (mss 1460,sackOK,TS val 4294946254 ecr 0,nop,wscale 7), length 0
10:06:11.030539 IP 192.168.122.1 > 192.168.122.230: ICMP 192.168.122.1 tcp port ftp unreachable, length 68
I am sure on guest, firewall is turned off, and I can samba to host from other machine in lan.
I checked host ‘iptables -L -nv ‘ and ‘iptables -L -nv -t nat’, no packet got ‘REJECT’ed or ‘DROP’ed.
They look like this:
# iptables -L -nv
Chain INPUT (policy ACCEPT 56760 packets, 31M bytes)
pkts bytes target prot opt in out source destination
68394 45M LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
19326 23M LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0
19326 23M LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0
9344 1092K LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 19706 packets, 2824K bytes)
pkts bytes target prot opt in out source destination
28243 3880K LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_FWI (1 references)
pkts bytes target prot opt in out source destination
9982 22M ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWO (1 references)
pkts bytes target prot opt in out source destination
9344 1092K ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_INP (1 references)
pkts bytes target prot opt in out source destination
102 6959 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
9 3028 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain LIBVIRT_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
9 3004 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
and
# iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 6314 packets, 5976K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 4463 packets, 5827K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 546 packets, 73524 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 526 packets, 69524 bytes)
pkts bytes target prot opt in out source destination
1910 218K LIBVIRT_PRT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_PRT (1 references)
pkts bytes target prot opt in out source destination
13 1359 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
87 4628 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
192 19180 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
Am I missing something? What could be the cause?
Thanks.