From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sebastian Frenger Subject: Re: ssh into kvm-guests Date: Fri, 11 Jun 2010 20:39:03 +0200 Message-ID: <1276281543.2306.16.camel@webClient> References: <1276105341.2025.9.camel@webClient> <1276204426.1995.7.camel@webClient> <1276267764.2053.19.camel@webClient> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: kvm@vger.kernel.org To: =?ISO-8859-1?Q?Alp=E1r_T=F6r=F6k?= Return-path: Received: from server1.sslsecurity.net ([217.14.120.228]:55575 "EHLO server1.sslsecurity.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756425Ab0FKTKY (ORCPT ); Fri, 11 Jun 2010 15:10:24 -0400 In-Reply-To: <1276267764.2053.19.camel@webClient> Sender: kvm-owner@vger.kernel.org List-ID: so, finally, some news: embarassing, that i didn't check it, but, when i disable iptables in kvm-guest, it works... interestingly, i set up ssh allows by system-config-firewall, as always in the past (on physically, real machines, none virtual), and it looks al right, ssh is allowed. nevertheless it does not work in my kvm-guests. i will now continue to 'patch' my iptables-rules. thank you, without your hint with tcpdump and the prohibited-line the fog would never have been lifted for me. Am Freitag, den 11.06.2010, 16:49 +0200 schrieb brizly vaan van Ulciputz: > Am Freitag, den 11.06.2010, 10:10 +0300 schrieb Alp=C3=A1r T=C3=B6r=C3= =B6k : > > What i ment is stopping the VPN server. Completely, just to make su= re > > it isn't interfering > done. that was the easiest part. >=20 > > tcpdump -i br0 port 22 (or whatever port you have sshd running on) > server is 192.168.23.29 > kvm-guest is 192.168.23.108 > gateway is 192.168.23.254 (which should not be part of route, here?= ) =20 >=20 > i started dump on server, than tried to "ssh 192.168.23.108", and > this is it: http://fpaste.org/Usfs/ > (could it paste directly here, but think it's hard to read in here). >=20 > Interesting i think is line 7: > IP 192.168.23.108 > 192.168.23.29: ICMP host 192.168.23.108 unreachab= le > - admin prohibited, length 68 >=20 > but i don't know how to fix ist. which admin has prohibited what? >=20 > > I'm not familiar with openVPN. Does it use one of the bridges ? > > I will assume it uses tun0 and br0 , and the VM uses vnet0 as a tap > > since it doesn't have an IP assigned, while tap0 has. Still it's > > strange that the bridges are on different subnets.=20 > i see just one bridge, br0? > openvpn uses 192.168.24.0, which, i think, is tunX for. > the _real_ network is 192.168.23.0, which is 'linked' to br0 and used= by > eth0. > > Is this > > intentional? Which subnet is the actual _real_ network. If you want > > your guests on a separate subnet, you need to set the host as GW an= d > > enable ip_forward, but it's probably simpler to just bridge them to > > the real network. > for me it's no matter if the guests are on same physical network or b= ridged.=20 > at the end i want to reach them by another openvpn-network-client (e.= g.=20 > remote notebook). Nice if the although should be reachable local with= out > vpn, but there is not really a need. >=20 > bevore 'installing' the bridge the kvm-guests was on separate network= , > the default kvm-generated network (in my case, 192.168.122.0), but th= e > effects was the same :-(