Hi Christian, I didn't fully understand your setup, so let me repeat what it looks to me right now. VM: 5.6.7.8/32 (fw0) \ + (br0) <--> GW: 1.2.3.254 <--> Internet? KVM-Host: 1.2.3.4/24 (eth0)/ Your gateway knows that 5.6.7.8 is reachable inside the internal network and forwards all traffic to it. So if someone from the Internet sends a ping to 5.6.7.8 it gets accepted from your gateway and routed. On the other hand a ping from 5.6.7.8 to the internet is not working, right? So obviously something gets blocked in your iptables setup. The reason why your ping to the outside world is working when you turn off and on the firewall of the KVM host is simple. The connection tracking is still in place and allows the forward of the ICMP packages after the firewall has started. From my experience the best way to find out which rule is missing to accept the outgoing packages is by modifying the iptables rules manually. Just save the iptables-save output and edit it. #> iptables-save > firewall.tmp #> iptables-restore < firewall.tmp Usually the OUTPUT policy is set to ACCEPT. So I'm a bit confused why the outgoing connection has problems. A simple way to analyse this issue is by adding some LOG rules to the end of your iptables setup. -A OUTPUT -s 5.6.7.8/32 -p icmp -j LOG --log-prefix "TROUBLESHOOTING: " After you identified which rule is missing you can do some SuSEfirewall2 modifications to add that rule. Ciao, Alex~ On Mon, Jun 13, 2016 at 01:45:23PM +0200, Christian wrote:
Hi,
having a problem and hope someone can help ... All IPs are just examples
Having a Server (Host) (IP: 1.2.3.4/24, GW 1.2.3.254) on which I use KVM i.c.w libvirt. So far everything is working ... The physical interface 'eth0' is bound to 'br0'. Now I have a VM, which also has an 'official IP' (e.g. 5.6.7.8/32, GW: 1.2.3.254). The VM has an 'allowed' MAC, for using in 'bridged' mode ...
so far everything works, from outside. I am able to ping VM (5.6.7.8) from outside. SuSEfirewall2 is active on Host, on VM not yet ... finally I am not able to ping to outside on VM.
If firewall on 'Host' is OFF and I start pinging on VM to outside, the ping works ... Even if I start the firewall on 'Host' the ping continues. But if I stop ping and start again the ping does not work anymore
Sadly there are no DROPS in the LOG. It also does not matter if FW_FORWARD_ALLOW_BRIDGING is ON or OFF ...
I tried to experiment a bit (added new vars ... functions)
FW_FORWARD_EXT_TO_BRIDGED_VM="yes" FW_DEV_EXT_PHYS="eth0" FW_DEV_VM_PHYS="fw0"
allow_ext_to_bridge() { local iptables case "${FW_FORWARD_EXT_TO_BRIDGED_VM}" in yes) ;; no) return ;; esac for iptables in "$IPTABLES" "$IP6TABLES"; do $iptables -A FORWARD -m physdev --physdev-in "${FW_DEV_EXT_PHYS}" --physdev-out "${FW_DEV_VM_PHYS}" -j ACCEPT $iptables -A FORWARD -m physdev --physdev-in "${FW_DEV_VM_PHYS}" --physdev-out "${FW_DEV_EXT_PHYS}" -j ACCEPT done }
an iptables.save will show my stuff like the following ---snip--- -A INPUT -j DROP -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -m physdev --physdev-in eth0 --physdev-out fw0 -j ACCEPT -A FORWARD -m physdev --physdev-in fw0 --physdev-out eth0 -j ACCEPT -A FORWARD -i br0 -j forward_ext ---snip---
hopefully someone can push me into the right direction ... Thank you
--
Christian ---------------------------------------------------- - Please do not 'CC' me on list mails. Just reply to the list :) ---------------------------------------------------- Der ultimative shop für Sportbekleidung und Zubehör
http://www.sc24.de ---------------------------------------------------- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
-- Alexander Bergmann <abergmann@suse.com>, Security Engineer, GPG:9FFA4886 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)