KVM Ubuntu Guest cannot connect to the internet on bridged networking
I think you are missing a iptable rule for the masquerade
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
Daniel
Updated on September 18, 2022Comments
-
Daniel almost 2 years
I have Ubuntu 14.04 (64 bits) + KVM Host with 2 NICs:
- eth0 connected to the "public" network
- eth1 connected to the br0 bridge with a private ip address rangeFrom Host I can access internet, ping VM Guest and connect to it via SSH.
From VM Guest I can only ping Host, but cannot access Internet and cannot ping google.comPlease help me with connecting VM Guest to the internet in the setup described below:
On Host:
/etc/network/interfaces
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.2.60 netmask 255.255.255.0 gateway 192.168.2.254 dns-nameservers 8.8.8.8 auto eth1 iface eth1 inet manual auto br0 iface br0 inet static address 10.0.0.1 netmask 255.255.255.0 bridge_ports eth1 bridge_stp off bridge_maxwait 0 bridge_fd 0 # Create and destroy the bridge automatically. pre-up brctl addbr br0 ip link set dev br0 up post-up /usr/sbin/brctl setfd br0 0 addif br0 eth1 post-down brctl delbr br0
KVM Network is defined as:
<network> <name>br0-net</name> <uuid>9d24b473-0b4d-4cfa-8b12-7bf267d856ae</uuid> <forward mode='bridge'/> <bridge name='br0'/> </network>
# sysctl -p /etc/sysctl.conf
net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0
# route -n
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.2.254 0.0.0.0 UG 0 0 0 eth0 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
On VM Guest:
/etc/network/interfaces
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 10.0.0.11 netmask 255.255.255.0
Guest xml is defined as
<interface type='bridge'> <mac address='52:54:00:6b:93:69'/> <source bridge='br0'/> <model type='virtio'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </interface>
# route -n
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Ping KVM Host from Guest does work for 10.0.0.1 and 192.168.2.60:
$ ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.555 ms
$ ping 192.168.2.60
PING 192.168.2.60 (192.168.2.60) 56(84) bytes of data. 64 bytes from 192.168.2.60: icmp_seq=1 ttl=64 time=0.772 ms
Ping a different computer 192.168.2.3 from Guest does not work:
--- 192.168.2.3 ping statistics --- 277 packets transmitted, 0 received, 100% packet loss, time 276399ms
Ping google.com from Guest does not work:
ping: unknown host google.com
-
Michael Hampton almost 10 yearsShow the problem you are having in the guest.
-
-
Daniel almost 10 yearsThis results in: iptables: No chain/target/match by that name.
-
c4f4t0r almost 10 yearsthat was a typo, i fixed the command
-
hdave over 9 yearsI have precisely the same issue as the OP. However, I do not understand -- is this command on the guests or on the host? What does that iptable rule do? Is there an equivalent in
ufw
? Thanks!