Hi Alexander, Am 15.06.2016 um 12:13 schrieb Alexander Bergmann:
Hi Christian,
I didn't fully understand your setup, so let me repeat what it looks to me right now.
VM: 5.6.7.8/32 (fw0) \ + (br0) <--> GW: 1.2.3.254 <--> Internet? KVM-Host: 1.2.3.4/24 (eth0)/
Your gateway knows that 5.6.7.8 is reachable inside the internal network and forwards all traffic to it. So if someone from the Internet sends a ping to 5.6.7.8 it gets accepted from your gateway and routed. Yes ... incoming traffic is no problem.
On the other hand a ping from 5.6.7.8 to the internet is not working, right? So obviously something gets blocked in your iptables setup.
Yes ... but what. The usual log of SuSEfirewall2 does not show the drops :(
The reason why your ping to the outside world is working when you turn off and on the firewall of the KVM host is simple. The connection tracking is still in place and allows the forward of the ICMP packages after the firewall has started.
Ahh ... ok. Is this the called 'stateful' ?
From my experience the best way to find out which rule is missing to accept the outgoing packages is by modifying the iptables rules manually. Just save the iptables-save output and edit it.
#> iptables-save > firewall.tmp
#> iptables-restore < firewall.tmp
Ahhh ... this I didn't know. Good idea to try :)
Usually the OUTPUT policy is set to ACCEPT. So I'm a bit confused why the outgoing connection has problems.
A simple way to analyse this issue is by adding some LOG rules to the end of your iptables setup.
-A OUTPUT -s 5.6.7.8/32 -p icmp -j LOG --log-prefix "TROUBLESHOOTING: "
OK ... will give it a try and see what it will show up ...
After you identified which rule is missing you can do some SuSEfirewall2 modifications to add that rule.
Usually the 'physical' interfaces don't need to mentioned in /etc/sysconfig/SuSEfirewall2. Do you agree ? -- Christian ---------------------------------------------------- - Please do not 'CC' me on list mails. Just reply to the list :) ---------------------------------------------------- Der ultimative shop für Sportbekleidung und Zubehör http://www.sc24.de ---------------------------------------------------- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org