Re: QEMU guests can ping but can't access host
On Thu, 02 Sep 2021 16:09:23 -0500
"David Palacio" <debian@david.palacio.io> wrote:
> Hi,
>
> > If you copied a disk image (.qcow2 extension) over, but not the
> > setup files that Virtual Machine Manager (VMM) uses
> > (in /etc/libvirt), then Windows is on a new machine, and can have
> > conniptions over it. Go into Windows' device manager (or whatever
> > they're calling it this week) and see if it is finding all its
> > hardware correctly.
>
> The VM virtual network hardware is working. It can access the
> internet. It can't access only the host, either on the virtual
> network ip or the physical network ip. I have since removed the old
> guest image and replaced it with a new installation on a new VM
> configuration. The same behavior is also seen on a new Linux VM
> running the Debian Bullseye Live KDE CD.
OK, then that's not the issue.
> > What program are you using to try to contact the host?
>
> I noticed the problem first with Windows Explorer to access the samba
> share. It simply timesout after a minute or two. Then I have tried
> ping and a browser. Pinging the host works and the host responds.
> Then I used nc to test connections like this: nc -lp 8080 On the host
> and point a guest browser to http://hostip:8080/ but nc never
> receives anything.
That sounds suspiciously like firewall ports aren't open.
>
> > You may also have a firewall issue, as you say. On the host, please
> > run whatever you use as a firewall control program and check to see
> > if the relevant port(s) is open.
>
> I have to point out I haven't touched anything regarding firewall
> since installation, however I have attached the output of iptables
> and nft in this message.
>
> > You may find it useful to open a terminal and, as root, run
> >
> > tail -f /var/log/syslog
> >
> > and, while that is sitting there, try contacting the host again. If
> > the firewall is blocking you, you'll see it in syslog.
>
> Neither syslog nor journalctl display anything related at the time
> this problem happens.
>
> > If nothing obvious jumps out at you, let us know which program(s)
> > you are using to control your firewall (shorewall, ufw, gufw,
> > etc.), and we will see if someone familiar with that program can
> > help.
>
> I don't `control` my firewall. It's all Debian's default and the
> installed Debian packages defaults, like libvirt, which adds some
> firewall rules automatically. Attached are the outputs of `iptables
> -L`, `nft list tables` and `nft list table tablename`.
I looked at the ntf listings you provided. I am completely new to nft
and nftables, so I may have missed something. I don't see any ports
open on the guest network (192.168.122.0/24). So I suspect that's the
problem.
Now we need an nftables guru to chime in.
I did find examples on the Web, but none of them looked like it was
exactly what you needed. Sorry I can't help further.
--
Does anybody read signatures any more?
https://charlescurley.com
https://charlescurley.com/blog/
Reply to: