Re: QEMU guests can ping but can't access host
I have compared my previous install nft ruleset and installed packages list with the current install and found that firewalld wasn't installed in the working system but ufw was. The nft ruleset was nearly identical save for the missing firewalld rules.
And so after purging firewalld, plasma-firewall and installing ufw the VM guest can communicate with the host.
This was odd, though. I had already uninstalled firewalld and restarted the system before in an attempt to fix the issue only to find the VM couldn't access *anything* then. Maybe the installation of ufw helps somehow or plasma-firewall breaks something.
Thank you for trying to help me.
On Thu, Sep 2, 2021, at 5:13 PM, Charles Curley wrote:
> On Thu, 02 Sep 2021 16:09:23 -0500
> "David Palacio" <debian@david.palacio.io> wrote:
>
> > Hi,
> >
> > > If you copied a disk image (.qcow2 extension) over, but not the
> > > setup files that Virtual Machine Manager (VMM) uses
> > > (in /etc/libvirt), then Windows is on a new machine, and can have
> > > conniptions over it. Go into Windows' device manager (or whatever
> > > they're calling it this week) and see if it is finding all its
> > > hardware correctly.
> >
> > The VM virtual network hardware is working. It can access the
> > internet. It can't access only the host, either on the virtual
> > network ip or the physical network ip. I have since removed the old
> > guest image and replaced it with a new installation on a new VM
> > configuration. The same behavior is also seen on a new Linux VM
> > running the Debian Bullseye Live KDE CD.
>
> OK, then that's not the issue.
>
> > > What program are you using to try to contact the host?
> >
> > I noticed the problem first with Windows Explorer to access the samba
> > share. It simply timesout after a minute or two. Then I have tried
> > ping and a browser. Pinging the host works and the host responds.
> > Then I used nc to test connections like this: nc -lp 8080 On the host
> > and point a guest browser to http://hostip:8080/ but nc never
> > receives anything.
>
> That sounds suspiciously like firewall ports aren't open.
>
> >
> > > You may also have a firewall issue, as you say. On the host, please
> > > run whatever you use as a firewall control program and check to see
> > > if the relevant port(s) is open.
> >
> > I have to point out I haven't touched anything regarding firewall
> > since installation, however I have attached the output of iptables
> > and nft in this message.
> >
> > > You may find it useful to open a terminal and, as root, run
> > >
> > > tail -f /var/log/syslog
> > >
> > > and, while that is sitting there, try contacting the host again. If
> > > the firewall is blocking you, you'll see it in syslog.
> >
> > Neither syslog nor journalctl display anything related at the time
> > this problem happens.
> >
> > > If nothing obvious jumps out at you, let us know which program(s)
> > > you are using to control your firewall (shorewall, ufw, gufw,
> > > etc.), and we will see if someone familiar with that program can
> > > help.
> >
> > I don't `control` my firewall. It's all Debian's default and the
> > installed Debian packages defaults, like libvirt, which adds some
> > firewall rules automatically. Attached are the outputs of `iptables
> > -L`, `nft list tables` and `nft list table tablename`.
>
> I looked at the ntf listings you provided. I am completely new to nft
> and nftables, so I may have missed something. I don't see any ports
> open on the guest network (192.168.122.0/24). So I suspect that's the
> problem.
>
> Now we need an nftables guru to chime in.
>
> I did find examples on the Web, but none of them looked like it was
> exactly what you needed. Sorry I can't help further.
>
>
> --
> Does anybody read signatures any more?
>
> https://charlescurley.com
> https://charlescurley.com/blog/
>
>
Reply to: