# Not able to connect to internet from qemu virtual machine

## spsarolkar

I have Windows 10 guest setup on my gentoo host installation with below configuration

```

<domain type='kvm'>

  <name>ame=windows10</name>

  <uuid>a2fa43c9-fa02-4a43-8668-172de1cd9bce</uuid>

  <memory unit='KiB'>8388608</memory>

  <currentMemory unit='KiB'>8388608</currentMemory>

  <vcpu placement='static'>4</vcpu>

  <os>

    <type arch='x86_64' machine='pc-i440fx-2.10'>hvm</type>

    <boot dev='hd'/>

  </os>

  <features>

    <acpi/>

    <apic/>

    <vmport state='off'/>

  </features>

  <cpu mode='host-model' check='partial'>

    <model fallback='allow'/>

  </cpu>

  <clock offset='utc'>

    <timer name='rtc' tickpolicy='catchup'/>

    <timer name='pit' tickpolicy='delay'/>

    <timer name='hpet' present='no'/>

  </clock>

  <on_poweroff>destroy</on_poweroff>

  <on_reboot>restart</on_reboot>

  <on_crash>restart</on_crash>

  <pm>

    <suspend-to-mem enabled='no'/>

    <suspend-to-disk enabled='no'/>

  </pm>

  <devices>

    <emulator>/usr/bin/qemu-system-x86_64</emulator>

    <disk type='file' device='disk'>

      <driver name='qemu' type='qcow2'/>

      <source file='/mnt/share/vms/vir-mgr-images/vms-win10'/>

      <target dev='vda' bus='virtio'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>

    </disk>

    <disk type='file' device='cdrom'>

      <driver name='qemu' type='raw'/>

      <source file='/mnt/share/isos/Win10_1709_English_x64.iso'/>

      <target dev='hda' bus='ide'/>

      <readonly/>

      <address type='drive' controller='0' bus='0' target='0' unit='0'/>

    </disk>

    <disk type='file' device='cdrom'>

      <driver name='qemu' type='raw'/>

      <source file='/mnt/share/isos/virtio-win-0.1.141.iso'/>

      <target dev='hdb' bus='ide'/>

      <readonly/>

      <address type='drive' controller='0' bus='0' target='0' unit='1'/>

    </disk>

    <controller type='usb' index='0' model='ich9-ehci1'>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x7'/>

    </controller>

    <controller type='usb' index='0' model='ich9-uhci1'>

      <master startport='0'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0' multifunction='on'/>

    </controller>

    <controller type='usb' index='0' model='ich9-uhci2'>

      <master startport='2'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x1'/>

    </controller>

    <controller type='usb' index='0' model='ich9-uhci3'>

      <master startport='4'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x2'/>

    </controller>

    <controller type='pci' index='0' model='pci-root'/>

    <controller type='ide' index='0'>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>

    </controller>

    <controller type='virtio-serial' index='0'>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>

    </controller>

    <interface type='bridge'>

      <mac address='52:54:00:54:88:16'/>

      <source bridge='br0'/>

      <model type='virtio'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>

    </interface>

    <serial type='pty'>

      <target port='0'/>

    </serial>

    <console type='pty'>

      <target type='serial' port='0'/>

    </console>

    <channel type='spicevmc'>

      <target type='virtio' name='com.redhat.spice.0'/>

      <address type='virtio-serial' controller='0' bus='0' port='1'/>

    </channel>

    <input type='mouse' bus='ps2'/>

    <input type='keyboard' bus='ps2'/>

    <graphics type='spice' autoport='yes' listen='0.0.0.0'>

      <listen type='address' address='0.0.0.0'/>

      <image compression='off'/>

    </graphics>

    <sound model='ich6'>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>

    </sound>

    <video>

      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>

    </video>

    <redirdev bus='usb' type='spicevmc'>

      <address type='usb' bus='0' port='1'/>

    </redirdev>

    <redirdev bus='usb' type='spicevmc'>

      <address type='usb' bus='0' port='2'/>

    </redirdev>

    <memballoon model='virtio'>

      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>

    </memballoon>

  </devices>

</domain>
```

I have network bridge setup on my gentoo host with below configuration

```
bridge_br0="enp3s0"

#config_br0="dhcp"

modules="!dhcpcd !udhcpc"

config_br0="192.168.0.11 netmask 255.255.255.0 brd 192.168.0.255"

routes_br0="default via 192.168.0.1"

dns_servers_br0="8.8.8.8 8.8.4.4"

#dns_servers_br0="8.8.8.8 8.8.4.4"

bridge_forward_delay_br0=0

bridge_hello_time_br0=1000

```

I am able to access internet from my host. 

From guest I was earlier able to access the internet but recently I installed docker and that seems to have broken something on my machine. I tried uninstalling docker but problem persist. 

My network configuration is as below

```
sunils@sunils-pc ~ $ ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host 

       valid_lft forever preferred_lft forever

2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000

    link/ether 0e:16:f3:74:48:46 brd ff:ff:ff:ff:ff:ff

3: eql: <MASTER> mtu 576 qdisc noop state DOWN group default qlen 5

    link/slip 

4: enp0s31f6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000

    link/ether 9c:5c:8e:bb:77:90 brd ff:ff:ff:ff:ff:ff

5: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000

    link/ether 9c:5c:8e:bc:3a:e0 brd ff:ff:ff:ff:ff:ff

    inet6 fe80::9e5c:8eff:febc:3ae0/64 scope link 

       valid_lft forever preferred_lft forever

6: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000

    link/tunnel6 :: brd ::

7: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000

    link/sit 0.0.0.0 brd 0.0.0.0

8: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000

    link/tunnel6 :: brd ::

9: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000

    link/ether 9c:5c:8e:bc:3a:e0 brd ff:ff:ff:ff:ff:ff

    inet 192.168.0.11/24 brd 192.168.0.255 scope global br0

       valid_lft forever preferred_lft forever

    inet6 fe80::9e5c:8eff:febc:3ae0/64 scope link 

       valid_lft forever preferred_lft forever

10: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000

    link/ether 52:54:00:4f:4b:5f brd ff:ff:ff:ff:ff:ff

    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0

       valid_lft forever preferred_lft forever

11: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000

    link/ether 52:54:00:4f:4b:5f brd ff:ff:ff:ff:ff:ff

32: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000

    link/ether fe:54:00:85:53:8c brd ff:ff:ff:ff:ff:ff

    inet6 fe80::fc54:ff:fe85:538c/64 scope link 

       valid_lft forever preferred_lft forever
```

Below is the screenshot the network configuration in windows 10

https://cdn.pbrd.co/images/H4FwoPd.png

For some reason windows picks up the subnet mask 255.255.0.0 I am exactly not sure from where it picks it up from.

I have already wasted one week on trying to find the solution. Can someone please help me regarding this

Please note that,

when I setup the ip configuration manually I am able to ping to my host and dns ip addresses but network resolution fails if I try pinging google.com

Below is the manual ip configuration

IP : 192.168.0.10

Subnet Mask: 255.255.255.0

Gateway: 192.168.0.1

DNS: 8.8.8.8, 8.8.4.4

Ping test from Windows 10 guest 

https://i.stack.imgur.com/0oIAy.png[/url]Last edited by spsarolkar on Fri Jan 26, 2018 6:56 am; edited 1 time in total

----------

## bbgermany

Hi,

first; please use code tags next time.

second: do you have ip forwarding enabled on the host?

you should check this with

```

cat /proc/sys/net/ipv4/ip_forward

```

It should show up "1" as result, otherwise its not enabled.

greets, bb

----------

## spsarolkar

Hi bbgermany,

Sorry just getting used to the editor, will surely mark the configuration in the code tags henceforth,

The ip_forward returns 1 please check it below

```
sunils@sunils-pc ~ $ cat /proc/sys/net/ipv4/ip_forward 

1
```

----------

## bbgermany

You should have a look at the interfaces 10,11 and 32 on your list. Maybe these are interferring with the config for your guest.

greets, bb

----------

## spsarolkar

HI bb,

I tried deleting these interfaces, but no impact.

I even tried removing virtio alltogether and use simple qemu command to launch the vm

```
qemu-system-x86_64 --enable-kvm -cpu host -smp cores=4,threads=1 -boot d -cdrom ../virtio-win-0.1.141.iso -vga qxl -m 10G -drive file=./win10.img,format=qcow2 -machine type=pc,accel=kvm -net nic -net bridge,br=br0 -usbdevice tablet -device virtio-serial-pci -device virtserialport,chardev=spicechannel0,name=com.redhat.spice.0 -chardev spicevmc,id=spicechannel0,name=vdagent -smb /mnt/share/
```

New intefaces look like below

```
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host 

       valid_lft forever preferred_lft forever

2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000

    link/ether 0e:16:f3:74:48:46 brd ff:ff:ff:ff:ff:ff

3: eql: <MASTER> mtu 576 qdisc noop state DOWN group default qlen 5

    link/slip 

4: enp0s31f6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000

    link/ether 9c:5c:8e:bb:77:90 brd ff:ff:ff:ff:ff:ff

5: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000

    link/ether 9c:5c:8e:bc:3a:e0 brd ff:ff:ff:ff:ff:ff

    inet6 fe80::9e5c:8eff:febc:3ae0/64 scope link 

       valid_lft forever preferred_lft forever

6: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000

    link/tunnel6 :: brd ::

7: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000

    link/sit 0.0.0.0 brd 0.0.0.0

8: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000

    link/tunnel6 :: brd ::

9: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000

    link/ether 9c:5c:8e:bc:3a:e0 brd ff:ff:ff:ff:ff:ff

    inet 192.168.0.11/24 brd 192.168.0.255 scope global br0

       valid_lft forever preferred_lft forever

    inet6 fe80::9e5c:8eff:febc:3ae0/64 scope link 

       valid_lft forever preferred_lft forever

44: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000

    link/ether fe:e3:3d:7a:65:99 brd ff:ff:ff:ff:ff:ff

    inet6 fe80::fce3:3dff:fe7a:6599/64 scope link 

       valid_lft forever preferred_lft forever
```

in above tap0 is the interface autogenerated by qemu.

But I still get same damm issue. I tried reinstalling windows multiple times on seperate images I keep getting exact same default ip assigned with 255.255.0.0. subnet mask and even if I change the subnet mask to my router, I can succesfully ping to host, google dns servers , google ip addresses but dns resolution fails for google.com.

I get a feeling the issue is somewhere else in the os and not in the virtual machine network configuration.

Everything[/url] was working fine initially but few days back I installed the docker that seems to have broken things, but now even I uninstalled docker things are not getting normal.

----------

## bbgermany

The IP you see is an APIPA address which you get, if no dhcp server answers requests. Do you have a working dhcp server in your network?

greets, bb

----------

## spsarolkar

 *bbgermany wrote:*   

> Do you have a working dhcp server in your network?

 

Currently there is no local dns server, but I can see the google dns servers can be pinged from Windows guest. 

Last time I installed the dns server it interfered with my static ip address assigned by netifrc. Thats why its dhcp disabled in the /etc/conf.d/net. But I uninstalled it after that

----------

## bbgermany

Not DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol). These are two different systems. The only point in commen is, that the dhcp server can provide a dns server entry for your ip configuration.

What does "nslookup www.google.com" gives you on your windows guest, when you setup a static ip address on the windows system?

greets, bb

----------

## spsarolkar

 *bbgermany wrote:*   

> What does "nslookup www.google.com" gives you on your windows guest, when you setup a static ip address on the windows system?

 

Here is the output https://cdn.pbrd.co/images/H4Hrtz5.png

Regarding DHCP server I seem to have dnsmasq installed. But I never knew it was there. Are you talking about the same?

I have DHCP server on router running at 192.168.0.1. thats the gateway I mentioned

----------

## spsarolkar

I finally found some clues, when I flush iptables everything works like a charm

There is some rule in my ip tables which is blocking the local traffic, I am very new to iptables so not able to identify which rule is causing the issue, below is the dump of all the rules

```
sunils@sunils-pc /var/log/samba $ sudo iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain

ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere            

INPUT_direct  all  --  anywhere             anywhere            

INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            

INPUT_ZONES  all  --  anywhere             anywhere            

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED

ACCEPT     all  --  192.168.122.0/24     anywhere            

ACCEPT     all  --  anywhere             anywhere            

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere            

FORWARD_direct  all  --  anywhere             anywhere            

FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            

FORWARD_IN_ZONES  all  --  anywhere             anywhere            

FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            

FORWARD_OUT_ZONES  all  --  anywhere             anywhere            

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

OUTPUT_direct  all  --  anywhere             anywhere            

Chain FORWARD_IN_ZONES (1 references)

target     prot opt source               destination         

FWDI_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)

target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)

target     prot opt source               destination         

FWDO_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)

target     prot opt source               destination         

Chain FORWARD_direct (1 references)

target     prot opt source               destination         

Chain FWDI_public (1 references)

target     prot opt source               destination         

FWDI_public_log  all  --  anywhere             anywhere            

FWDI_public_deny  all  --  anywhere             anywhere            

FWDI_public_allow  all  --  anywhere             anywhere            

ACCEPT     icmp --  anywhere             anywhere            

Chain FWDI_public_allow (1 references)

target     prot opt source               destination         

Chain FWDI_public_deny (1 references)

target     prot opt source               destination         

Chain FWDI_public_log (1 references)

target     prot opt source               destination         

Chain FWDO_public (1 references)

target     prot opt source               destination         

FWDO_public_log  all  --  anywhere             anywhere            

FWDO_public_deny  all  --  anywhere             anywhere            

FWDO_public_allow  all  --  anywhere             anywhere            

Chain FWDO_public_allow (1 references)

target     prot opt source               destination         

Chain FWDO_public_deny (1 references)

target     prot opt source               destination         

Chain FWDO_public_log (1 references)

target     prot opt source               destination         

Chain INPUT_ZONES (1 references)

target     prot opt source               destination         

IN_public  all  --  anywhere             anywhere            [goto] 

Chain INPUT_ZONES_SOURCE (1 references)

target     prot opt source               destination         

Chain INPUT_direct (1 references)

target     prot opt source               destination         

Chain IN_public (1 references)

target     prot opt source               destination         

IN_public_log  all  --  anywhere             anywhere            

IN_public_deny  all  --  anywhere             anywhere            

IN_public_allow  all  --  anywhere             anywhere            

ACCEPT     icmp --  anywhere             anywhere            

Chain IN_public_allow (1 references)

target     prot opt source               destination         

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW

Chain IN_public_deny (1 references)

target     prot opt source               destination         

Chain IN_public_log (1 references)

target     prot opt source               destination         

Chain OUTPUT_direct (1 references)

target     prot opt source               destination  
```

Can someone please help me which rule I should be adding to allow the internet connection via bridge from guest.

----------

## Hu

Actually, that is not a dump of all rules.  That is only a dump of the filter table.  There are other tables, notably nat and mangle.  Generally, if you need help with a netfilter problem, you should post the output of iptables-save -c, not the output of iptables -L.  The latter defaults to hiding information that may be useful to us.

----------

## spsarolkar

 *Hu wrote:*   

> you should post the output of iptables-save -c, not the output of iptables -L.  The latter defaults to hiding information that may be useful to us.

 

Please find it below

```
sunils@sunils-pc ~ $ sudo rc-service iptables restart

 * Loading iptables state and starting firewall ...                                                          [ ok ]

sunils@sunils-pc ~ $ sudo iptables-save -c

# Generated by iptables-save v1.4.21 on Sun Jan 28 08:04:50 2018

*nat

:PREROUTING ACCEPT [354:89200]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [30:4729]

:POSTROUTING ACCEPT [30:4729]

:OUTPUT_direct - [0:0]

:POSTROUTING_ZONES - [0:0]

:POSTROUTING_ZONES_SOURCE - [0:0]

:POSTROUTING_direct - [0:0]

:POST_public - [0:0]

:POST_public_allow - [0:0]

:POST_public_deny - [0:0]

:POST_public_log - [0:0]

:PREROUTING_ZONES - [0:0]

:PREROUTING_ZONES_SOURCE - [0:0]

:PREROUTING_direct - [0:0]

:PRE_public - [0:0]

:PRE_public_allow - [0:0]

:PRE_public_deny - [0:0]

:PRE_public_log - [0:0]

[293069:88502969] -A PREROUTING -j PREROUTING_direct

[293069:88502969] -A PREROUTING -j PREROUTING_ZONES_SOURCE

[293069:88502969] -A PREROUTING -j PREROUTING_ZONES

[32338:5203134] -A OUTPUT -j OUTPUT_direct

[0:0] -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN

[0:0] -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN

[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535

[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535

[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE

[32358:5204222] -A POSTROUTING -j POSTROUTING_direct

[32358:5204222] -A POSTROUTING -j POSTROUTING_ZONES_SOURCE

[32358:5204222] -A POSTROUTING -j POSTROUTING_ZONES

[0:0] -A POSTROUTING -o enp3s0 -j MASQUERADE

[32358:5204222] -A POSTROUTING_ZONES -g POST_public

[32358:5204222] -A POST_public -j POST_public_log

[32358:5204222] -A POST_public -j POST_public_deny

[32358:5204222] -A POST_public -j POST_public_allow

[293069:88502969] -A PREROUTING_ZONES -g PRE_public

[293069:88502969] -A PRE_public -j PRE_public_log

[293069:88502969] -A PRE_public -j PRE_public_deny

[293069:88502969] -A PRE_public -j PRE_public_allow

COMMIT

# Completed on Sun Jan 28 08:04:50 2018

# Generated by iptables-save v1.4.21 on Sun Jan 28 08:04:50 2018

*mangle

:PREROUTING ACCEPT [6662821:18584686283]

:INPUT ACCEPT [6413110:18501564014]

:FORWARD ACCEPT [63327:8973327]

:OUTPUT ACCEPT [4312399:10283978911]

:POSTROUTING ACCEPT [4313819:10284216935]

:FORWARD_direct - [0:0]

:INPUT_direct - [0:0]

:OUTPUT_direct - [0:0]

:POSTROUTING_direct - [0:0]

:PREROUTING_ZONES - [0:0]

:PREROUTING_ZONES_SOURCE - [0:0]

:PREROUTING_direct - [0:0]

:PRE_public - [0:0]

:PRE_public_allow - [0:0]

:PRE_public_deny - [0:0]

:PRE_public_log - [0:0]

[6662821:18584686283] -A PREROUTING -j PREROUTING_direct

[6662821:18584686283] -A PREROUTING -j PREROUTING_ZONES_SOURCE

[6662821:18584686283] -A PREROUTING -j PREROUTING_ZONES

[6413110:18501564014] -A INPUT -j INPUT_direct

[63327:8973327] -A FORWARD -j FORWARD_direct

[4312399:10283978911] -A OUTPUT -j OUTPUT_direct

[4313819:10284216935] -A POSTROUTING -j POSTROUTING_direct

[6662821:18584686283] -A PREROUTING_ZONES -g PRE_public

[6662821:18584686283] -A PRE_public -j PRE_public_log

[6662821:18584686283] -A PRE_public -j PRE_public_deny

[6662821:18584686283] -A PRE_public -j PRE_public_allow

COMMIT

# Completed on Sun Jan 28 08:04:50 2018

# Generated by iptables-save v1.4.21 on Sun Jan 28 08:04:50 2018

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [230:37454]

:FORWARD_IN_ZONES - [0:0]

:FORWARD_IN_ZONES_SOURCE - [0:0]

:FORWARD_OUT_ZONES - [0:0]

:FORWARD_OUT_ZONES_SOURCE - [0:0]

:FORWARD_direct - [0:0]

:FWDI_public - [0:0]

:FWDI_public_allow - [0:0]

:FWDI_public_deny - [0:0]

:FWDI_public_log - [0:0]

:FWDO_public - [0:0]

:FWDO_public_allow - [0:0]

:FWDO_public_deny - [0:0]

:FWDO_public_log - [0:0]

:INPUT_ZONES - [0:0]

:INPUT_ZONES_SOURCE - [0:0]

:INPUT_direct - [0:0]

:IN_public - [0:0]

:IN_public_allow - [0:0]

:IN_public_deny - [0:0]

:IN_public_log - [0:0]

:OUTPUT_direct - [0:0]

[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT

[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT

[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT

[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT

[6368283:18495942558] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[53:3180] -A INPUT -i lo -j ACCEPT

[44774:5618276] -A INPUT -j INPUT_direct

[44774:5618276] -A INPUT -j INPUT_ZONES_SOURCE

[44774:5618276] -A INPUT -j INPUT_ZONES

[16:640] -A INPUT -m conntrack --ctstate INVALID -j DROP

[44753:5617328] -A INPUT -j REJECT --reject-with icmp-host-prohibited

[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT

[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT

[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable

[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable

[72:4304] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A FORWARD -i lo -j ACCEPT

[63255:8969023] -A FORWARD -j FORWARD_direct

[63255:8969023] -A FORWARD -j FORWARD_IN_ZONES_SOURCE

[63255:8969023] -A FORWARD -j FORWARD_IN_ZONES

[63231:8967807] -A FORWARD -j FORWARD_OUT_ZONES_SOURCE

[63231:8967807] -A FORWARD -j FORWARD_OUT_ZONES

[0:0] -A FORWARD -m conntrack --ctstate INVALID -j DROP

[63231:8967807] -A FORWARD -j REJECT --reject-with icmp-host-prohibited

[0:0] -A FORWARD -i br0 -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT

[0:0] -A FORWARD -i enp3s0 -o br0 -j ACCEPT

[0:0] -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT

[4312399:10283978911] -A OUTPUT -j OUTPUT_direct

[63255:8969023] -A FORWARD_IN_ZONES -g FWDI_public

[63231:8967807] -A FORWARD_OUT_ZONES -g FWDO_public

[63255:8969023] -A FWDI_public -j FWDI_public_log

[63255:8969023] -A FWDI_public -j FWDI_public_deny

[63255:8969023] -A FWDI_public -j FWDI_public_allow

[24:1216] -A FWDI_public -p icmp -j ACCEPT

[63231:8967807] -A FWDO_public -j FWDO_public_log

[63231:8967807] -A FWDO_public -j FWDO_public_deny

[63231:8967807] -A FWDO_public -j FWDO_public_allow

[44774:5618276] -A INPUT_ZONES -g IN_public

[44774:5618276] -A IN_public -j IN_public_log

[44774:5618276] -A IN_public -j IN_public_deny

[44774:5618276] -A IN_public -j IN_public_allow

[3:180] -A IN_public -p icmp -j ACCEPT

[2:128] -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

COMMIT

# Completed on Sun Jan 28 08:04:50 2018

sunils@sunils-pc ~ $ 

```

----------

## bbgermany

Hi,

it looks (according to the iptables output), there are still docker firewall rules left (like FWDO <- sound like FireWallDockerOut) installed. Maybe these are preventing your access to the internet from your qemu vm or did you set these rules manually?

greets, bb

----------

## spsarolkar

 *bbgermany wrote:*   

> Maybe these are preventing your access to the internet from your qemu vm or did you set these rules manually?

 

Of course not, I am new to iptables and did not yet setup any rules apart from those mentioned on qemu gentoo wiki https://wiki.gentoo.org/wiki/QEMU

Below are the rules that I did fired in the hope of making things work, but it didn't

root #iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE

root #iptables -A FORWARD -i br0 -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT

root #iptables -A FORWARD -i enp3s0 -o br0 -j ACCEPT

Can you please help me which commands should I run to remove the unrelavent rules or add any addon rules to allow traffic in local network? ...because when all iptables rules are on, I am not able to access my samba share as well as VNC server even from local network

----------

## bbgermany

 *spsarolkar wrote:*   

>  *bbgermany wrote:*   Maybe these are preventing your access to the internet from your qemu vm or did you set these rules manually? 
> 
> Of course not, I am new to iptables and did not yet setup any rules apart from those mentioned on qemu gentoo wiki https://wiki.gentoo.org/wiki/QEMU
> 
> Below are the rules that I did fired in the hope of making things work, but it didn't
> ...

 

since you are running a bridged configuration, you wont even need those for access from your guest. the host and guest share the same subnet.

the init script of iptables save the rules to /var/lib/iptables/rules-save. you could try moving the file to another location and restart the iptables service (if you dont need a firewall at all).

greets, bb

----------

## Hu

That table is a mess.  I think I see an explanation for your specific problem (assuming your kernel is also configured to apply netfilter to bridges - this is optional, so not everyone does).  However, I think you need to review the whole setup.You have many rules that reference virbr0, but the VM is not joined to virbr0.  It is joined to br0.  Therefore, rules that specify virbr0 fail to match traffic involving this VM.You bridged your physical NIC, but your netfilter rules still try to refer to it by name.  These rules will fail to match, since traffic on a bridge uses the bridge name (but if you need to match on a specific physical interface, --physdev can be used).You have a catch-all reject rule in the FORWARD chain above other rules.  Fortunately, those rules can never match anything anyway, so failing to reach them has no adverse impact here.

----------

