[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: QEMU guests can ping but can't access host

On Thu, 02 Sep 2021 16:09:23 -0500
"David Palacio" <debian@david.palacio.io> wrote:

> Hi,
> 
> > If you copied a disk image (.qcow2 extension) over, but not the
> > setup files that Virtual Machine Manager (VMM) uses
> > (in /etc/libvirt), then Windows is on a new machine, and can have
> > conniptions over it. Go into Windows' device manager (or whatever
> > they're calling it this week) and see if it is finding all its
> > hardware correctly.  
> 
> The VM virtual network hardware is working. It can access the
> internet. It can't access only the host, either on the virtual
> network ip or the physical network ip. I have since removed the old
> guest image and replaced it with a new installation on a new VM
> configuration. The same behavior is also seen on a new Linux VM
> running the Debian Bullseye Live KDE CD.

OK, then that's not the issue.

> > What program are you using to try to contact the host?  
> 
> I noticed the problem first with Windows Explorer to access the samba
> share. It simply timesout after a minute or two. Then I have tried
> ping and a browser. Pinging the host works and the host responds.
> Then I used nc to test connections like this: nc -lp 8080 On the host
> and point a guest browser to http://hostip:8080/ but nc never
> receives anything.

That sounds suspiciously like firewall ports aren't open.

> 
> > You may also have a firewall issue, as you say. On the host, please
> > run whatever you use as a firewall control program and check to see
> > if the relevant port(s) is open.  
> 
> I have to point out I haven't touched anything regarding firewall
> since installation, however I have attached the output of iptables
> and nft in this message.
> 
> > You may find it useful to open a terminal and, as root, run
> > 
> > tail -f /var/log/syslog
> > 
> > and, while that is sitting there, try contacting the host again. If
> > the firewall is blocking you, you'll see it in syslog.  
> 
> Neither syslog nor journalctl display anything related at the time
> this problem happens.
> 
> > If nothing obvious jumps out at you, let us know which program(s)
> > you are using to control your firewall (shorewall, ufw, gufw,
> > etc.), and we will see if someone familiar with that program can
> > help.  
> 
> I don't `control` my firewall. It's all Debian's default and the
> installed Debian packages defaults, like libvirt, which adds some
> firewall rules automatically. Attached are the outputs of `iptables
> -L`, `nft list tables` and `nft list table tablename`.

I looked at the ntf listings you provided. I am completely new to nft
and nftables, so I may have missed something. I don't see any ports
open on the guest network (192.168.122.0/24). So I suspect that's the
problem.

Now we need an nftables guru to chime in.

I did find examples on the Web, but none of them looked like it was
exactly what you needed. Sorry I can't help further.


-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/
Reply to: