CentOS 7 Host With Guests As Bridge Cannot Access Host

Home » CentOS » CentOS 7 Host With Guests As Bridge Cannot Access Host

April 1, 2020 Jerry Geis CentOS 9 Comments

I have CentOS 7 host. Two guests on bridge network setup by GUI and virt-manager.
1 CentOS 8 guest
1 Win 10 guest Both cannot access the host. They can other machines on the network. Guests can access the internet just not the host.

I used virt-manager GUi to set up everything. Selected the eth0:macvtap and Bridge. I “desire” bridge network.

If I select something else I get access to host – but of course machine is not on the main network.

Thoughts ?

Jerry

9 thoughts on - CentOS 7 Host With Guests As Bridge Cannot Access Host

Alexander Dalloz says:

April 1, 2020 at 1:12 pm

Am 01.04.2020 um 14:53 schrieb Jerry Geis:

WORKSFORME

What have you checked so far?

On the host:

# brctl show virbr1
bridge name bridge id STP enabled interfaces virbr1 8000.525400698fd5 yes virbr1-nic
vnet0
vnet1
vnet2
vnet3
vnet4
vnet5

# ip a s virbr1
3: virbr1: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:54:0069:8f:d5 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.1/24 brd 192.168.10.255 scope global virbr1
valid_lft forever preferred_lft forever

# cat /proc/sys/net/ipv4/ip_forward
1

# iptables -L FORWARD -v -n | egrep ‘(policy|virbr1)’
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
20337 14M ACCEPT all — eno1 virbr1 0.0.0.0/0
192.168.10.0/24 ctstate RELATED,ESTABLISHED
29512 3243K ACCEPT all — virbr1 eno1 192.168.10.0/24
0.0.0.0/0
0 0 ACCEPT all — virbr1 virbr1 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all — * virbr1 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all — virbr1 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable

Alexander
Jerry Geis says:

April 1, 2020 at 2:56 pm

Thanks for the info.

brctl show virbr0
bridge name bridge id STP enabled interfaces virbr0 8000.525400fc34af yes virbr0-nic

brctl show virbr1
bridge name bridge id STP enabled interfaces virbr1 8000.5254009c3902 yes virbr1-nic

ip a s virbr0
3: virbr0: mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:fc:34:af brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever

ip a s virbr1
5: virbr1: mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:9c:39:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global virbr1
valid_lft forever preferred_lft forever

cat /proc/sys/net/ipv4/ip_forward
1

iptables -L FORWARD -v -n | egrep ‘(policy|virbr1)’
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

iptables -L FORWARD -v -n | egrep ‘(policy|virbr0)’
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

So looks like my IPTables is not correct.

What commands do you run for that ?
Thanks,

Jerry
Alexander Dalloz says:

April 1, 2020 at 3:07 pm

Am 01.04.2020 um 21:56 schrieb Jerry Geis:

Why is no VM started?

Is that different when the VMs are up?

Simply firewalld. Docker acts by itself.

Alexander
Alexander Dalloz says:

April 1, 2020 at 3:40 pm

Am 01.04.2020 um 22:07 schrieb Alexander Dalloz:

Sorry, have to correct myself. Had to much to do today on OpenShift. There is no Docker involved in what we discuss. The firewall rules for the host bridge devices get created by libvirtd.

Alexander
Jerry Geis says:

April 1, 2020 at 3:53 pm

Thanks I was using iptables and not converted to firewalld. I am doing so now. Will I need to delete the VM and re-add it ?
I am rebooting first.

Jerry
Jerry Geis says:

April 1, 2020 at 4:24 pm

OK I rebooted. I changed the NIC from Bridge to Passthrough, hit apply, then changed it to bridge and hit apply, then booted the VM.

My firewall looks better but still not working. iptables -L FORWARD -v -n | egrep ‘(policy|virbr1)’
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
0 0 ACCEPT all — eth0 virbr1 0.0.0.0/0
192.168.100.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all — virbr1 eth0 192.168.100.0/24
0.0.0.0/0
0 0 ACCEPT all — virbr1 virbr1 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all — * virbr1 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all — virbr1 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable

iptables -L FORWARD -v -n | egrep ‘(policy|virbr0)’
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
0 0 ACCEPT all — * virbr0 0.0.0.0/0
192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all — virbr0 * 192.168.122.0/24
0.0.0.0/0
0 0 ACCEPT all — virbr0 virbr0 0.0.0.0/0
0.0.0.0/0
0 0 REJECT all — * virbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all — virbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable

Now what? Thanks.

Jerry
Jerry Geis says:

April 2, 2020 at 9:09 am

This is unfortunate. https://wiki.libvirt.org/page/TroubleshootMacvtapHostFail

To the “normal” user – BRIDGE means guest is on the same network and has access to the host.

Bummer.

Jerry
Leroy Tennison says:

April 2, 2020 at 9:38 am

Wow, thanks for sharing, I’d have never dreamed it.
Alexander Dalloz says:

April 2, 2020 at 4:42 pm

Am 02.04.2020 um 16:10 schrieb Jerry Geis:

You were not telling us that you were using Macvtap.

Alexander

CentOS 7 Host With Guests As Bridge Cannot Access Host

9 thoughts on - CentOS 7 Host With Guests As Bridge Cannot Access Host

Recommended

Recent Posts

Recent Comments

Archives

Categories

Meta