Re: KVM VM's facing public network

[Brian Jackson <iggy@theiggy.com>]

On Tue, 29 Jan 2013 17:15:54 -0500
"Hugo R. Hernandez-Mora" <hdezmora@gmail.com> wrote:

> Brian,
> thanks for having the time and look into my problem.   I have set my
> VMs by using virt-manager but here is how it looks the qemu/kvm
> process running for my client:
> 
> [root@kvm1 ~]# ps -efl | grep qemu
> 6 S qemu      3532     1  1  80   0 - 2834530 poll_s 11:38 ?
> 00:03:20 /usr/libexec/qemu-kvm -S -M rhel6.3.0 -enable-kvm -m 8192
> -smp 2,sockets=2,cores=1,threads=1 -name jacobi -uuid
> 740569a2-613f-ee1b-14fd-02772e28b211 -nodefconfig -nodefaults -chardev
> socket,id=charmonitor,path=/var/lib/libvirt/qemu/jacobi.monitor,server,nowait
> -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc
> -no-shutdown -boot order=cd,menu=on -device
> piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive
> if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw -device
> ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -drive
> file=/ifs/virt/vm3/jacobi.img,if=none,id=drive-virtio-disk0,format=raw,cache=none
> -device
> virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0
> -netdev tap,fd=24,id=hostnet0,vhost=on,vhostfd=25 -device
> virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:ea:44:67,bus=pci.0,addr=0x3
> -chardev pty,id=charserial0 -device
> isa-serial,chardev=charserial0,id=serial0 -device
> usb-tablet,id=input0 -vnc 127.0.0.1:0 -vga cirrus -device
> intel-hda,id=sound0,bus=pci.0,addr=0x4 -device
> hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -incoming fd:22
> -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6


Unfortunately, from that it's hard to tell what's actually connected to
what. Curse libvirt for that.


> 
> I'm using a standard way for setting up networking as assigning a
> static IP for iface eth0 52:54:00:ea:44:67.  I have changed my
> firewall rules to use only this as from documentation and by having in
> mind what you said about having the VM on same network as the KVM
> host:
> 
> iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
> 
> I'm not sure if the problem is because a port blocking on the network
> switch or a misconfiguration from my side.   Anyways, I have tried to
> route VM by using the same default gateway used by the KVM host, or to
> use the KVM host as gateway but any of these two options work in my
> case.


A "normal" bridge setup wouldn't require any iptables rules to work, so
why don't you try disabling all your iptables rules on the host and
guest and setting the guest to use the same router as the host. See
what that gets you. Try pinging and tcpdumping at different points to
see where exactly things are failing.


> 
> Thoughts?
> 
> Regards,
> -Hugo