KVM guest can't access internet

networking virtualization kvm qemu
12,644

I received a comment on Reddit that pointed me in the right direction with this one: https://www.reddit.com/r/linuxadmin/comments/bdy6sz/kvm_guest_cant_access_internet/

The problem is that Docker changes the default policy for the FORWARD chain in iptables to DROP.

A rule to allow traffic has to be added. Running this command added the required rule and fixed the issue:

sudo iptables -I FORWARD -i br0 -o br0 -j ACCEPT
Share:
12,644

Related videos on Youtube

colincameron
Author by

colincameron

iOS and OS X developer who wonders into C# and PHP occasionally.

Updated on September 18, 2022

Comments

  • colincameron
    colincameron over 1 year

    I have a number of Ubuntu guests running on an Ubuntu 16.04.6 kvm host.

    Since I had to reboot my host, networking no longer works correctly. The host and guest can access each other, but my guest can't access the internet, and I can't access the guest from any other computers on the network. The host had Docker installed pre-reboot (may be relevant).

    Using one guest as an example: Ubuntu 16.04.4

    • Host IP: 10.0.10.2
    • Guest IP: 10.0.10.13
    • Guest KVM network settings:
      • Network source: Bridge br0: Host device eno1
      • Device model: virtio

    Ping results:

    colin@host:~$ ping 10.0.10.13
PING 10.0.10.13 (10.0.10.13) 56(84) bytes of data.
64 bytes from 10.0.10.13: icmp_seq=1 ttl=64 time=0.207 ms

    colin@host:~$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=119 ms

    colin@guest:~$ ping 10.0.10.2
PING 10.0.10.2 (10.0.10.2) 56(84) bytes of data.
64 bytes from 10.0.10.2: icmp_seq=1 ttl=64 time=0.257 ms

    colin@guest:~$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.

--- 1.1.1.1 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 7999ms

    Running tcpdump on host during tests (pinging host>guest, guest>world, guest>host) showing no reply:

    colin@host:~$ sudo tcpdump -nni br0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:57:52.684722 IP 10.0.10.2 > 10.0.10.13: ICMP echo request, id 29324, seq 1, length 64
15:57:52.684953 IP 10.0.10.13 > 10.0.10.2: ICMP echo reply, id 29324, seq 1, length 64
15:57:53.683713 IP 10.0.10.2 > 10.0.10.13: ICMP echo request, id 29324, seq 2, length 64
15:57:53.683891 IP 10.0.10.13 > 10.0.10.2: ICMP echo reply, id 29324, seq 2, length 64
15:58:10.697087 IP 10.0.10.13 > 1.1.1.1: ICMP echo request, id 1620, seq 1, length 64
15:58:11.705736 IP 10.0.10.13 > 1.1.1.1: ICMP echo request, id 1620, seq 2, length 64
15:58:18.482031 IP 10.0.10.13 > 10.0.10.2: ICMP echo request, id 1622, seq 1, length 64
15:58:18.482061 IP 10.0.10.2 > 10.0.10.13: ICMP echo reply, id 1622, seq 1, length 64
15:58:19.481024 IP 10.0.10.13 > 10.0.10.2: ICMP echo request, id 1622, seq 2, length 64
15:58:19.481052 IP 10.0.10.2 > 10.0.10.13: ICMP echo reply, id 1622, seq 2, length 64
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel

    Host config:

    colin@host:~$ ifconfig
br0       Link encap:Ethernet  HWaddr 00:fd:45:fc:85:d8  
          inet addr:10.0.10.2  Bcast:10.0.255.255  Mask:255.255.0.0
          inet6 addr: fe80::2fd:45ff:fefc:85d8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:121153422 errors:0 dropped:715 overruns:0 frame:0
          TX packets:65107786 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:172509978566 (172.5 GB)  TX bytes:16134433818 (16.1 GB)

br-df15cee8a6f6 Link encap:Ethernet  HWaddr 02:42:74:28:3f:82  
          inet addr:172.20.0.1  Bcast:172.20.255.255  Mask:255.255.0.0
          inet6 addr: fe80::42:74ff:fe28:3f82/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:158611 errors:0 dropped:0 overruns:0 frame:0
          TX packets:402715 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:14673553 (14.6 MB)  TX bytes:62211023 (62.2 MB)

docker0   Link encap:Ethernet  HWaddr 02:42:85:6b:5d:cd  
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eno1      Link encap:Ethernet  HWaddr 00:fd:45:fc:85:d8  
          inet6 addr: fe80::2fd:45ff:fefc:85d8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:122992881 errors:0 dropped:14310 overruns:0 frame:0
          TX packets:71313707 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:174820231625 (174.8 GB)  TX bytes:16827079661 (16.8 GB)
          Interrupt:16 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:5163328 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5163328 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:3075521109 (3.0 GB)  TX bytes:3075521109 (3.0 GB)

veth142ebf2 Link encap:Ethernet  HWaddr 72:71:cc:8a:71:ff  
          inet6 addr: fe80::7071:ccff:fe8a:71ff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:111842 errors:0 dropped:0 overruns:0 frame:0
          TX packets:278641 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:11860403 (11.8 MB)  TX bytes:44222087 (44.2 MB)

veth4bb7c84 Link encap:Ethernet  HWaddr fe:17:53:a6:ea:ca  
          inet6 addr: fe80::fc17:53ff:fea6:eaca/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:232661 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:18124977 (18.1 MB)

veth7a2885b Link encap:Ethernet  HWaddr d6:1c:ff:48:9d:e6  
          inet6 addr: fe80::d41c:ffff:fe48:9de6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:232659 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:18124809 (18.1 MB)

vnet0     Link encap:Ethernet  HWaddr fe:54:00:7e:9d:e0  
          inet6 addr: fe80::fc54:ff:fe7e:9de0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2800 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1339 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:267912 (267.9 KB)  TX bytes:2975296 (2.9 MB)

    colin@host:~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#auto eno1
#iface eno1 inet static
#address 10.0.10.2
#netmask 255.255.0.0
#gateway 10.0.0.1
#dns-nameservers 10.0.0.1

# Bridge
auto br0
iface br0 inet static
        address 10.0.10.2
        netmask 255.255.0.0
        gateway 10.0.0.1
        dns-nameservers 1.1.1.1
        bridge_ports eno1
        bridge_stp off
        bridge_fd 0
        bridge_maxwait 0

    colin@host:~$ sudo iptables -L -n -v
[sudo] password for colin: 
Chain INPUT (policy ACCEPT 87M packets, 121G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 2630 packets, 264K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5346 1299K DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 5346 1299K DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
 1278  872K ACCEPT     all  --  *      br-df15cee8a6f6  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-df15cee8a6f6  0.0.0.0/0            0.0.0.0/0           
 1438  164K ACCEPT     all  --  br-df15cee8a6f6 !br-df15cee8a6f6  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-df15cee8a6f6 br-df15cee8a6f6  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 49M packets, 16G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !br-df15cee8a6f6 br-df15cee8a6f6  0.0.0.0/0            172.20.0.3           tcp dpt:9000
    0     0 ACCEPT     tcp  --  !br-df15cee8a6f6 br-df15cee8a6f6  0.0.0.0/0            172.20.0.4           tcp dpt:8181

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
 1438  164K DOCKER-ISOLATION-STAGE-2  all  --  br-df15cee8a6f6 !br-df15cee8a6f6  0.0.0.0/0            0.0.0.0/0           
 5346 1299K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-df15cee8a6f6  0.0.0.0/0            0.0.0.0/0           
 1438  164K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 5346 1299K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

    Guest config:

    colin@guest:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 52:54:00:7e:9d:e0  
          inet addr:10.0.10.13  Bcast:10.0.255.255  Mask:255.255.0.0
          inet6 addr: fe80::5054:ff:fe7e:9de0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1057 errors:0 dropped:256 overruns:0 frame:0
          TX packets:2384 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2950816 (2.9 MB)  TX bytes:228448 (228.4 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:141 errors:0 dropped:0 overruns:0 frame:0
          TX packets:141 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:22109 (22.1 KB)  TX bytes:22109 (22.1 KB)

    colin@guest:~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 10.0.10.13
netmask 255.255.0.0
network 10.0.0.0
broadcast 10.0.255.255
gateway 10.0.0.1
dns-nameservers 8.8.8.8 8.8.4.4

    I've been trying for weeks to solve this, but can't seem to make any headway.

  • stratus
    stratus about 4 years
    In my case, I was using the default NAT interface and had the same problem. Same solution: sudo iptables -I FORWARD -i virbr0 -o virbr0 -j ACCEPT Thanks for sharing!
  • coergo
    coergo over 3 years
    My exact issue on Ubuntu 20.04 after installing Docker then trying to get the bridged network working for KVM.
  • erwin
    erwin over 2 years
    THANK YOU!!! THANK YOU!!! I've been fighting with this same issue in various permutations for weeks... Why in the world does every guide covering kvm setup leave out this step??? Anyway, if you've on Ubuntu 21.10 and later you need to use: sudo iptables-legacy -I FORWARD -i br0 -o br0 -j ACCEPT (same command, just iptables-legacy instead of just iptables)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Unable to ping from host to guest in KVM
How to troubleshoot a macvtap network in kvm/virt-manager
Emulate unplugging a network cable with qemu-kvm
QEMU: problems with mouse and keyboard settings
How to launch a virtual machine in qcow2 format in Ubuntu 13.04?
virt-manager USB 2.0 problem
Network bandwidth limitation in KVM
Gracefully shut down QEMU/KVM on host shutdown
qemu-system-x86_64 boot failed
How do I connect to my running VM via virsh?