# [solved] kvm guest prob w/internet

## nordic bro

let me know what I should include by way of info, aren't really sure.

I have an xp/sp1 guest running in kvm and used this guide for most of the networking setup: http://en.gentoo-wiki.com/wiki/KVM including his kvm startup script.

I use shorewall 3 but tried 4, same problem.  originally I was sending all bridge traffic to netfilter then read something saying not to do that so now skip it.  so afaik shorewall isn't a factor here anymore (?)

everything from host wrt internet, etc., works fine, always has.  the trouble is now that I have nfs working in the xp guest, web browsers can't see any sites ("server not found").

what happens is:

a)  I boot host, shorewall and kvm, etc. are started.

b) run xp guest, nfs works but internet doesn't.

c) stop shorewall, "shorewall clear" and internet still doesn't work from guest.

but if I stop kvm script (contents below) then '/etc/init.d/net.eth0 restart' and '/etc/init.d/kvm start', now xp guest has nfs working and ffox can connect to sites.

d)  if I restart shorewall, not unexpectedly guest ffox no longer works (but nfs continues to if it matters).  

if I stop shorewall again and do "shorewall clear", guest ffox still can't work.

e) in that state if I again restart eth0 and kvm script, guest nfs and internet work again.

this is how I start the kvm instance:

```
kvm -name xp_pt3 -net nic,macaddr=00:00:00:00:00:22 -net tap,ifname=tap0,script=no,downscript=no gentoo-i386.img -usb -usbdevice tablet -boot c
```

ifconfig:

```
br0       Link encap:Ethernet  HWaddr 8a:97:bb:10:12:5e  

          inet addr:192.168.100.254  Bcast:192.168.100.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:74 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:8143 (7.9 KiB)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr 00:19:db:22:5e:e4  

          inet addr:192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:1576829 errors:0 dropped:0 overruns:0 frame:0

          TX packets:804563 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:2188251979 (2.0 GiB)  TX bytes:55669750 (53.0 MiB)

          Interrupt:45 Base address:0xe000 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:394134 errors:0 dropped:0 overruns:0 frame:0

          TX packets:394134 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:2089381129 (1.9 GiB)  TX bytes:2089381129 (1.9 GiB)

tap0      Link encap:Ethernet  HWaddr 8a:97:bb:10:12:5e  

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:77 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:500 

          RX bytes:9704 (9.4 KiB)  TX bytes:92 (92.0 B)

tap1      Link encap:Ethernet  HWaddr 9a:ca:38:8d:c8:8e  

          UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:500 

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
```

resolv.conf:

```
# Generated by net-scripts for interface eth0

domain example.com

search example.com

nameserver 192.168.1.1
```

conf.d/net:

```
bridge_br0="tap0 tap1"

brctl_br0="setfd 0 sethello 0 stp off"

#rc_need_br0="net.tap0 net.tap1"

RC_NEED_br0="net.tap0 net.tap1"

config_eth0=( "192.168.1.254 netmask 255.255.255.0 broadcast 192.168.1.255" )

routes_eth0="default via 192.168.1.1"

dns_domain_eth0="example.com"

dns_servers_eth0="192.168.1.1"

dns_search_eth0="example.com"

config_br0="192.168.100.254/24"

config_tap0="null"

tuntap_tap0="tap"

tunctl_tap0="-u mike"

mac_tap0="00:00:00:00:00:00"

config_tap1="null"

tuntap_tap1="tap"

tunctl_tap1="-u mike"

mac_tap1="00:00:00:00:00:01"
```

/etc/init.d/kvm script from above gentoo how-to (I took out msgs and whatnot for brevity; also I use modules so put the 'echo "0" > ...*tables' in there rather than sysctl.conf):

```
#NUM_OF_DEVICES=5

NUM_OF_DEVICES=2

#USERID="<your_user>"

USERID="mike"

depend() {

        need net

}

start() {

        /sbin/modprobe kvm

        /sbin/modprobe kvm_intel

        /sbin/modprobe tun

        /sbin/brctl addbr br0

        /sbin/ifconfig br0 192.168.100.254 netmask 255.255.255.0 up

        for ((i=0; i < NUM_OF_DEVICES; i++)); do

                /usr/bin/tunctl -b -u $USERID -t tap$i >/dev/null

                /sbin/brctl addif br0 tap$i

                /sbin/ifconfig tap$i up 0.0.0.0 promisc

        done

        echo "1" > /proc/sys/net/ipv4/ip_forward 

        iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

        echo "0" > /proc/sys/net/bridge/bridge-nf-call-arptables

        echo "0" > /proc/sys/net/bridge/bridge-nf-call-iptables

        echo "0" > /proc/sys/net/bridge/bridge-nf-call-ip6tables

        eend 0

}

stop() {

        for ((i=0; i < NUM_OF_DEVICES; i++)); do

                /sbin/ifconfig tap$i down

                /sbin/brctl delif br0 tap$i

                /usr/bin/tunctl -d tap$i >/dev/null

        done

        /sbin/ifconfig br0 down

        /sbin/brctl delbr br0

        /sbin/modprobe -r tun

        /sbin/modprobe -r kvm_intel

        /sbin/modprobe -r kvm

        echo "0" > /proc/sys/net/ipv4/ip_forward

        iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

        eend 0

}

restart() {

        stop

        start

}
```

my xp network props are:

ip addr: 192.168.100.1

mask: 255.255.255.0

default gw: 192.168.100.254

dns: 192.168.1.1 (my router)

also this is kernel.org 3.0.3 if it matters.

thanks.Last edited by nordic bro on Mon Sep 19, 2011 5:40 pm; edited 3 times in total

----------

## Hu

Do you want the guest to be bridged or NAT'd?  You have elements of each, which is probably not good.  Pick one or the other and then we can help you write a configuration using just that method.

----------

## nordic bro

 *Quote:*   

> Do you want the guest to be bridged or NAT'd?

 

thanks, tbh I don't really know (much of this is new to me and have been thrashing about w/endless changes over the past few days which may explain the mixture).

what I was hoping to achieve initially was:

a) the kvm guest to be hidden from the outside world;

b) the guest to have to go through my host firewall just in case I get some kind of malware that's either trying to spread outside my local network or reporting back to the infector.  

I do have a router firewall which came with my fios service but I really don't know how well that works or know anything about configuring it to be better if necessary.  

so I have shorewall running in addition which I can at least look at documentation and do something there I may not know how to do with the router firewall.

----------

## Hu

It sounds like you want a NAT configuration for the guest.  Drop all references to br0.  Use eth0 as your interface to the outside world.  Configure your tap device with a private address on a different subnet from your main LAN.  Place your guest on that same subnet.  For simplicity, you can static configure the guest for now.

----------

## nordic bro

k, know I'm doing something wrong but can't identify what so seem to be going in circles  :Smile:   the two problems I'm having are:

1.  after reboot and shorewall running (r4.4.15.1) my guest can't see internet but nfs works

2a.  with shorewall stop/clear, guest can use nfs but not see internet

2b.  if I then restart net.eth0 both nfs/guest internet work

2c.  if I start shorewall again, no guest internet but nfs still works

shorewall interfaces:

```
net   eth0      detect      routefilter,tcpflags,dhcp

#loc   interior

# that's what I ordinary use but also tried this:

loc   tap0      detect
```

shorewall rules:

```
SECTION NEW

DROP      net      fw     icmp     8

DROP      net      fw     tcp      113,135

ACCEPT    fw       loc    tcp      5432

ACCEPT    loc      fw     tcp      5432
```

shorewall policy:

```
loc      fw   ACCEPT

fw              net     ACCEPT

net      all   DROP

all      all   REJECT
```

shorewall zones:

```
fw   firewall

net   ipv4

loc   ipv4
```

shorewall conf is stock and many lines so let me know if I should include it.

to create tap0 I did this:

```
modprobe tun

tunctl -u mike

ip addr add 192.168.100.254/24 dev tap0

ip link set tap0 up

sysctl net.ipv4.ip_forward=1

route add -host 192.168.100.1 dev tap0
```

route -n:

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 tap0

192.168.100.1   0.0.0.0         255.255.255.255 UH    0      0        0 tap0
```

ifconfig:

```
eth0      Link encap:Ethernet  HWaddr 00:19:db:22:5e:e4  

          inet addr:192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:10210 errors:0 dropped:0 overruns:0 frame:0

          TX packets:9005 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:4878612 (4.6 MiB)  TX bytes:954754 (932.3 KiB)

          Interrupt:45 Base address:0xe000 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:776 errors:0 dropped:0 overruns:0 frame:0

          TX packets:776 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:260051 (253.9 KiB)  TX bytes:260051 (253.9 KiB)

tap0      Link encap:Ethernet  HWaddr a2:b3:81:5c:56:09  

          inet addr:192.168.100.254  Bcast:0.0.0.0  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:790 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1182 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:500 

          RX bytes:102661 (100.2 KiB)  TX bytes:1110796 (1.0 MiB)
```

I start kvm guest w/this:

```
export MACADDR="52:54:$(dd if=/dev/urandom count=1 2>/dev/null | md5sum | sed 's/^\(..\)\(..\)\(..\)\(..\).*$/\1:\2:\3:\4/')"; kvm -name xp_pt3 -net nic,macaddr=${MACADDR} -net tap,ifname=tap0,script=no,downscript=no /misc/vm_data/kvm_pt3/gentoo-i386.img -usb -usbdevice tablet -boot c
```

/etc/init.d/kvm:

```
 

#NUM_OF_DEVICES=5

NUM_OF_DEVICES=2

#USERID="<your_user>"

USERID="mike"

depend() {

        need net

}

start() {

        /sbin/modprobe kvm

        /sbin/modprobe kvm_intel

        echo "1" > /proc/sys/net/ipv4/ip_forward 

**        iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

        eend 0

}

stop() {

        /sbin/modprobe -r kvm_intel

        /sbin/modprobe -r kvm

        echo "0" > /proc/sys/net/ipv4/ip_forward

**        iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

        eend 0

}

```

and my xp setup:

ip: 192.168.100.1

mask: 255.255.255.0

gw: 192.168.100.254

dns: 192.168.1.1 (my router)

** fwiw the two "**" in kvm script cause this: there is no error doing "-A POST..." in start() (when I add 'eend $? "msg"'), but there is always an error with "-D POST..." in stop(): 

 *   Failed to remove masquerade (eth0)         [ ok ]

don't know if that's relevant to anything.

thanks.

----------

## Hu

 *nordic bro wrote:*   

> 1.  after reboot and shorewall running (r4.4.15.1) my guest can't see internet but nfs works
> 
> 2a.  with shorewall stop/clear, guest can use nfs but not see internet
> 
> 

 Please post the output of iptables-save -c, not the shorewall configurations.

 *nordic bro wrote:*   

> to create tap0 I did this:
> 
> ```
> modprobe tun
> 
> ...

 The explicit route should be unnecessary.  The rest looks fine.

 *nordic bro wrote:*   

> I start kvm guest w/this:
> 
> ```
> export MACADDR="52:54:$(dd if=/dev/urandom count=1 2>/dev/null | md5sum | sed 's/^\(..\)\(..\)\(..\)\(..\).*$/\1:\2:\3:\4/')"; kvm -name xp_pt3 -net nic,macaddr=${MACADDR} -net tap,ifname=tap0,script=no,downscript=no /misc/vm_data/kvm_pt3/gentoo-i386.img -usb -usbdevice tablet -boot c
> ```
> ...

 Randomizing the MAC address may work, but is bad practice.  Pick a single MAC and stick with it.

 *nordic bro wrote:*   

> 
> 
> ** fwiw the two "**" in kvm script cause this: there is no error doing "-A POST..." in start() (when I add 'eend $? "msg"'), but there is always an error with "-D POST..." in stop(): 
> 
>  *   Failed to remove masquerade (eth0)         [ ok ]
> ...

 You did not specify the exact steps that lead to this, but I suspect this is related to resetting shorewall and letting it wipe your iptables rules.

----------

## nordic bro

 *Quote:*   

>  *Quote:*   1. after reboot and shorewall running (r4.4.15.1) my guest can't see internet but nfs works
> 
> 2a. with shorewall stop/clear, guest can use nfs but not see internet  
> 
> Please post the output of iptables-save -c, not the shorewall configurations.

 

wasn't sure if you wanted both #1 and #2a but this is output for #1 (the posted shorewall setup + kvm script started which is in runlevels/default):

```
# Generated by iptables-save v1.4.10 on Sat Sep 10 00:12:39 2011

*raw

:PREROUTING ACCEPT [276:121985]

:OUTPUT ACCEPT [266:27293]

COMMIT

# Completed on Sat Sep 10 00:12:39 2011

# Generated by iptables-save v1.4.10 on Sat Sep 10 00:12:39 2011

*mangle

:PREROUTING ACCEPT [276:121985]

:INPUT ACCEPT [276:121985]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [266:27293]

:POSTROUTING ACCEPT [266:27293]

:tcfor - [0:0]

:tcin - [0:0]

:tcout - [0:0]

:tcpost - [0:0]

:tcpre - [0:0]

[276:121985] -A PREROUTING -j tcpre 

[276:121985] -A INPUT -j tcin 

[0:0] -A FORWARD -j MARK --set-xmark 0x0/0xff 

[0:0] -A FORWARD -j tcfor 

[266:27293] -A OUTPUT -j tcout 

[266:27293] -A POSTROUTING -j tcpost 

COMMIT

# Completed on Sat Sep 10 00:12:39 2011

# Generated by iptables-save v1.4.10 on Sat Sep 10 00:12:39 2011

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

:Drop - [0:0]

:Reject - [0:0]

:dropBcast - [0:0]

:dropInvalid - [0:0]

:dropNotSyn - [0:0]

:dynamic - [0:0]

:fw2loc - [0:0]

:fw2net - [0:0]

:loc2fw - [0:0]

:loc2net - [0:0]

:logdrop - [0:0]

:logflags - [0:0]

:logreject - [0:0]

:net2fw - [0:0]

:net2loc - [0:0]

:reject - [0:0]

:shorewall - [0:0]

:tcpflags - [0:0]

[2:89] -A INPUT -m conntrack --ctstate INVALID,NEW -j dynamic 

[254:117124] -A INPUT -i eth0 -j net2fw 

[0:0] -A INPUT -i tap0 -j loc2fw 

[22:4861] -A INPUT -i lo -j ACCEPT 

[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A INPUT -j Reject 

[0:0] -A INPUT -g reject 

[0:0] -A FORWARD -m conntrack --ctstate INVALID,NEW -j dynamic 

[0:0] -A FORWARD -i eth0 -o tap0 -j net2loc 

[0:0] -A FORWARD -i tap0 -o eth0 -j loc2net 

[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A FORWARD -j Reject 

[0:0] -A FORWARD -g reject 

[244:22432] -A OUTPUT -o eth0 -j fw2net 

[0:0] -A OUTPUT -o tap0 -j fw2loc 

[22:4861] -A OUTPUT -o lo -j ACCEPT 

[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A OUTPUT -j Reject 

[0:0] -A OUTPUT -g reject 

[0:0] -A Drop 

[0:0] -A Drop -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject 

[0:0] -A Drop -j dropBcast 

[0:0] -A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT 

[0:0] -A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT 

[0:0] -A Drop -j dropInvalid 

[0:0] -A Drop -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j DROP 

[0:0] -A Drop -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j DROP 

[0:0] -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j DROP 

[0:0] -A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j DROP 

[0:0] -A Drop -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP 

[0:0] -A Drop -p tcp -j dropNotSyn 

[0:0] -A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP 

[0:0] -A Reject 

[0:0] -A Reject -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject 

[0:0] -A Reject -j dropBcast 

[0:0] -A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT 

[0:0] -A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT 

[0:0] -A Reject -j dropInvalid 

[0:0] -A Reject -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j reject 

[0:0] -A Reject -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j reject 

[0:0] -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j reject 

[0:0] -A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j reject 

[0:0] -A Reject -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP 

[0:0] -A Reject -p tcp -j dropNotSyn 

[0:0] -A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP 

[0:0] -A dropBcast -m addrtype --dst-type BROADCAST -j DROP 

[0:0] -A dropBcast -d 224.0.0.0/4 -j DROP 

[0:0] -A dropInvalid -m conntrack --ctstate INVALID -j DROP 

[0:0] -A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP 

[0:0] -A fw2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A fw2loc -p tcp -m tcp --dport 5432 -j ACCEPT 

[0:0] -A fw2loc -j Reject 

[0:0] -A fw2loc -g reject 

[0:0] -A fw2net -p udp -m udp --dport 67:68 -j ACCEPT 

[187:18861] -A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[57:3571] -A fw2net -j ACCEPT 

[0:0] -A loc2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A loc2fw -p tcp -m tcp --dport 5432 -j ACCEPT 

[0:0] -A loc2fw -j ACCEPT 

[0:0] -A loc2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A loc2net -j Reject 

[0:0] -A loc2net -g reject 

[0:0] -A logdrop -j DROP 

[0:0] -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options 

[0:0] -A logflags -j DROP 

[0:0] -A logreject -j reject 

[0:0] -A net2fw -p udp -m udp --dport 67:68 -j ACCEPT 

[220:113465] -A net2fw -p tcp -j tcpflags 

[254:117124] -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A net2fw -p icmp -m icmp --icmp-type 8 -j DROP 

[0:0] -A net2fw -p tcp -m multiport --dports 113,135 -j DROP 

[0:0] -A net2fw -j Drop 

[0:0] -A net2fw -j DROP 

[0:0] -A net2loc -p tcp -j tcpflags 

[0:0] -A net2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A net2loc -j Drop 

[0:0] -A net2loc -j DROP 

[0:0] -A reject -m addrtype --src-type BROADCAST -j DROP 

[0:0] -A reject -s 224.0.0.0/4 -j DROP 

[0:0] -A reject -p igmp -j DROP 

[0:0] -A reject -p tcp -j REJECT --reject-with tcp-reset 

[0:0] -A reject -p udp -j REJECT --reject-with icmp-port-unreachable 

[0:0] -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable 

[0:0] -A reject -j REJECT --reject-with icmp-host-prohibited 

[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags 

[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags 

[0:0] -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags 

[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags 

[0:0] -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags 

COMMIT

# Completed on Sat Sep 10 00:12:39 2011

# Generated by iptables-save v1.4.10 on Sat Sep 10 00:12:39 2011

*nat

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [59:3660]

:POSTROUTING ACCEPT [59:3660]

COMMIT

# Completed on Sat Sep 10 00:12:39 2011
```

and this is #2a ('/etc/init.d/shorewall stop' then 'shorewall clear'):

```
# Generated by iptables-save v1.4.10 on Sat Sep 10 00:14:14 2011

*raw

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

COMMIT

# Completed on Sat Sep 10 00:14:14 2011

# Generated by iptables-save v1.4.10 on Sat Sep 10 00:14:14 2011

*mangle

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

COMMIT

# Completed on Sat Sep 10 00:14:14 2011

# Generated by iptables-save v1.4.10 on Sat Sep 10 00:14:14 2011

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

COMMIT

# Completed on Sat Sep 10 00:14:14 2011

# Generated by iptables-save v1.4.10 on Sat Sep 10 00:14:14 2011

*nat

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

COMMIT

# Completed on Sat Sep 10 00:14:14 2011
```

thanks for the help.

----------

## Hu

You must have the MASQUERADE rule for the guest to be able to use the Internet.  Shorewall is wiping this rule when it loads, and it is loading after you start net.eth0.

----------

## nordic bro

sorry, can't get this stupid thing to work  :Smile:   do you have any other troubleshooting tips?  I've been experimenting w/that iptables-save cmd and see:

```
*nat

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:eth0_masq - [0:0]

[0:0] -A POSTROUTING -o eth0 -j eth0_masq 

[0:0] -A eth0_masq -s 192.168.100.0/24 -j MASQUERADE 

COMMIT
```

that's with shorewall running and from what I gather (shorewall-masq man pg/google) my simple /etc/shorewall/masq entry is sufficient:

eth0			192.168.100.0/24

but guest internet doesn't work.  if I stop shorewall/clear then reissue the cmd in init.d/kvm script:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

guest internet starts working immediately and to my amateur eye see essentially the same iptables-save output:

```
*nat

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

[0:0] -A POSTROUTING -o eth0 -j MASQUERADE
```

where else would I look to see what's the matter?

I thought maybe there was some module I didn't have compiled for the more refined shorewall masq version although I don't get any start errors; however I still went through kernel cfg and M just about everything in netfilter options and still nothing.

one other thing, w/o shorewall I can ping router from guest and guest from host; w/shorewall either ping just says "Destination host unreachable" but imagine there's a shorewall rule/policy somewhere that blocks them and it otherwise doesn't mean anything?

edit: incidentally if it matters here's the entire output w/shorewall running:

```
# Generated by iptables-save v1.4.10 on Sun Sep 11 21:52:16 2011

*raw

:PREROUTING ACCEPT [311:155608]

:OUTPUT ACCEPT [305:33043]

COMMIT

# Completed on Sun Sep 11 21:52:16 2011

# Generated by iptables-save v1.4.10 on Sun Sep 11 21:52:16 2011

*mangle

:PREROUTING ACCEPT [311:155608]

:INPUT ACCEPT [311:155608]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [305:33043]

:POSTROUTING ACCEPT [305:33043]

:tcfor - [0:0]

:tcin - [0:0]

:tcout - [0:0]

:tcpost - [0:0]

:tcpre - [0:0]

[311:155608] -A PREROUTING -j tcpre 

[311:155608] -A INPUT -j tcin 

[0:0] -A FORWARD -j MARK --set-xmark 0x0/0xff 

[0:0] -A FORWARD -j tcfor 

[305:33043] -A OUTPUT -j tcout 

[305:33043] -A POSTROUTING -j tcpost 

COMMIT

# Completed on Sun Sep 11 21:52:16 2011

# Generated by iptables-save v1.4.10 on Sun Sep 11 21:52:16 2011

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

:Drop - [0:0]

:Reject - [0:0]

:dropBcast - [0:0]

:dropInvalid - [0:0]

:dropNotSyn - [0:0]

:dynamic - [0:0]

:fw2loc - [0:0]

:fw2net - [0:0]

:loc2fw - [0:0]

:loc2net - [0:0]

:logdrop - [0:0]

:logflags - [0:0]

:logreject - [0:0]

:net2fw - [0:0]

:net2loc - [0:0]

:reject - [0:0]

:shorewall - [0:0]

:tcpflags - [0:0]

[0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j dynamic 

[305:153440] -A INPUT -i eth0 -j net2fw 

[0:0] -A INPUT -i tap0 -j loc2fw 

[6:2168] -A INPUT -i lo -j ACCEPT 

[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A INPUT -j Reject 

[0:0] -A INPUT -g reject 

[0:0] -A FORWARD -m conntrack --ctstate INVALID,NEW -j dynamic 

[0:0] -A FORWARD -i eth0 -o tap0 -j net2loc 

[0:0] -A FORWARD -i tap0 -o eth0 -j loc2net 

[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A FORWARD -j Reject 

[0:0] -A FORWARD -g reject 

[299:30875] -A OUTPUT -o eth0 -j fw2net 

[0:0] -A OUTPUT -o tap0 -j fw2loc 

[6:2168] -A OUTPUT -o lo -j ACCEPT 

[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A OUTPUT -j Reject 

[0:0] -A OUTPUT -g reject 

[0:0] -A Drop 

[0:0] -A Drop -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject 

[0:0] -A Drop -j dropBcast 

[0:0] -A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT 

[0:0] -A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT 

[0:0] -A Drop -j dropInvalid 

[0:0] -A Drop -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j DROP 

[0:0] -A Drop -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j DROP 

[0:0] -A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j DROP 

[0:0] -A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j DROP 

[0:0] -A Drop -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP 

[0:0] -A Drop -p tcp -j dropNotSyn 

[0:0] -A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP 

[0:0] -A Reject 

[0:0] -A Reject -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject 

[0:0] -A Reject -j dropBcast 

[0:0] -A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT 

[0:0] -A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT 

[0:0] -A Reject -j dropInvalid 

[0:0] -A Reject -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j reject 

[0:0] -A Reject -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j reject 

[0:0] -A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j reject 

[0:0] -A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j reject 

[0:0] -A Reject -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP 

[0:0] -A Reject -p tcp -j dropNotSyn 

[0:0] -A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP 

[0:0] -A dropBcast -m addrtype --dst-type BROADCAST -j DROP 

[0:0] -A dropBcast -d 224.0.0.0/4 -j DROP 

[0:0] -A dropInvalid -m conntrack --ctstate INVALID -j DROP 

[0:0] -A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP 

[0:0] -A fw2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A fw2loc -p tcp -m tcp --dport 5432 -j ACCEPT 

[0:0] -A fw2loc -j Reject 

[0:0] -A fw2loc -g reject 

[0:0] -A fw2net -p udp -m udp --dport 67:68 -j ACCEPT 

[242:27353] -A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[57:3522] -A fw2net -j ACCEPT 

[0:0] -A loc2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A loc2fw -p tcp -m tcp --dport 5432 -j ACCEPT 

[0:0] -A loc2fw -j ACCEPT 

[0:0] -A loc2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A loc2net -j Reject 

[0:0] -A loc2net -g reject 

[0:0] -A logdrop -j DROP 

[0:0] -A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options 

[0:0] -A logflags -j DROP 

[0:0] -A logreject -j reject 

[0:0] -A net2fw -p udp -m udp --dport 67:68 -j ACCEPT 

[277:150794] -A net2fw -p tcp -j tcpflags 

[305:153440] -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A net2fw -p icmp -m icmp --icmp-type 8 -j DROP 

[0:0] -A net2fw -p tcp -m multiport --dports 113,135 -j DROP 

[0:0] -A net2fw -j Drop 

[0:0] -A net2fw -j DROP 

[0:0] -A net2loc -p tcp -j tcpflags 

[0:0] -A net2loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A net2loc -j Drop 

[0:0] -A net2loc -j DROP 

[0:0] -A reject -m addrtype --src-type BROADCAST -j DROP 

[0:0] -A reject -s 224.0.0.0/4 -j DROP 

[0:0] -A reject -p igmp -j DROP 

[0:0] -A reject -p tcp -j REJECT --reject-with tcp-reset 

[0:0] -A reject -p udp -j REJECT --reject-with icmp-port-unreachable 

[0:0] -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable 

[0:0] -A reject -j REJECT --reject-with icmp-host-prohibited 

[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags 

[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags 

[0:0] -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags 

[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags 

[0:0] -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags 

COMMIT

# Completed on Sun Sep 11 21:52:16 2011

# Generated by iptables-save v1.4.10 on Sun Sep 11 21:52:16 2011

*nat

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [57:3522]

:POSTROUTING ACCEPT [57:3522]

:eth0_masq - [0:0]

[57:3522] -A POSTROUTING -o eth0 -j eth0_masq 

[0:0] -A eth0_masq -s 192.168.100.0/24 -j MASQUERADE 

COMMIT

# Completed on Sun Sep 11 21:52:16 2011
```

----------

## Hu

If stopping shorewall makes the guest work, then that would indicate that shorewall is adding rules that interfere with proper operation.  The shorewall-generated configuration is rather ugly, so there could be problems hiding in it.  Check the kernel output for any dropped traffic.  If you cannot find anything there, consider clearing the shorewall rules and writing packet filter rules by hand.

----------

## nordic bro

figured I should come clean so I could close this post - problem was user error.  after more gnashing of teeth I found/added these to shorewall/rules:

DNS(ACCEPT) 	   loc	  net

HTTP(ACCEPT) 	   loc	  net

HTTPS(ACCEPT)    loc	  net

using some of the tips I got from your replies it appeared to me tap0 was transmitting but not going anywhere; those rules completed the circuit so everything w/guest works fine now.

in the end I got the setup I wanted and learned a couple cool things so thanks again for the help.

----------

