Guests can resolve internet addresses, but are unable to access them
Software environment
- Operating system:
Linux ivory 5.8.0-48-generic #54-Ubuntu SMP Fri Mar 19 14:25:20 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.10
DISTRIB_CODENAME=groovy
DISTRIB_DESCRIPTION="Ubuntu 20.10"
- Architecture: x86_64
- kernel version: 5.8.0-48-generic
- libvirt version: 6.6.0-1ubuntu3.4
- Hypervisor and version: 5.0-5ubuntu9.6
Description of problem
Guests can resolve internet addresses, but are unable to access them
Steps to reproduce
- Install Ubuntu 20.10 (groovy gorilla)
- Install qemu-kvm, libvirt and tools
- configure
- Create virtual machines
Additional information
Hosts resolve (from guest):
# host google.com
google.com has address 172.217.20.238
google.com has IPv6 address 2a00:1450:4016:801::200e
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
But pinging does not work (it indeed works from the host):
# ping google.com
PING google.com (172.217.20.238): 56 data bytes
^C
--- google.com ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Same from host:
# ping google.com
ping: socket: Die Adressfamilie wird von der Protokollfamilie nicht unterstützt
PING google.com (172.217.22.238) 56(84) bytes of data.
64 bytes from muc11s02-in-f14.1e100.net (172.217.22.238): icmp_seq=1 ttl=119 time=37.5 ms
64 bytes from muc11s02-in-f14.1e100.net (172.217.22.238): icmp_seq=2 ttl=119 time=36.4 ms
64 bytes from muc11s02-in-f14.1e100.net (172.217.22.238): icmp_seq=3 ttl=119 time=36.8 ms
64 bytes from muc11s02-in-f14.1e100.net (172.217.22.238): icmp_seq=4 ttl=119 time=36.2 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 36.230/36.749/37.535/0.500 ms
Firewall setup via iptables seems ok:
# iptables-save
# Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWX - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_INP -i virbr8 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr8 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr8 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr8 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr8 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_FWO -s 172.19.18.0/24 -i virbr8 -j ACCEPT
-A LIBVIRT_FWO -i virbr8 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 172.19.10.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 172.19.18.0/24 -o virbr8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr8 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 172.19.10.0/24 -o virbr0 -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr8 -o virbr8 -j ACCEPT
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Fri Mar 26 13:03:26 2021
# Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 172.19.18.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 172.19.18.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 172.19.18.0/24 ! -d 172.19.18.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Mar 26 13:03:26 2021
# Generated by iptables-save v1.8.5 on Fri Mar 26 13:03:26 2021
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr8 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A LIBVIRT_PRT -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Mar 26 13:03:26 2021
IP-forwarding is enabled:
# cat /proc/sys/net/ipv4/ip_forward
1
Edited by Thomas Schweikle