On 05/01/2012 08:45 AM, Cbulist wrote:
On 05/01/2012 01:27 AM, Barry Brimer wrote:
After that I stopped the Iptables on the Host machine and I lost external connectivity on my VM's. The only way that I found that VM machine works again is restarting the Host Machine. (Start Iptables service again on the Host didn't work)
I'm using CentOS 6.2: 2.6.32-220.7.1.el6.x86_64 The host's iptables is the default, I didn't add anything. Why the Iptables is stopping the connectivity of VM when I stop it?
If you don't have NAT rules in your firewall .. internal VM traffic that is not bridged won't get NATed and therefore can't reach the parent network.
Thanks Barry,
Yes, I thought the same but my confusion is that I don't see any rules of PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file.
[root@VS01]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
But when I check the command iptables -L -t nat I can see the NAT rules
[root@VS01]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination
Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24 MASQUERADE tcp -- 192.168.100.0/24 !192.168.100.0/24 masq ports: 1024-65535 MASQUERADE udp -- 192.168.100.0/24 !192.168.100.0/24 masq ports: 1024-65535 MASQUERADE all -- 192.168.100.0/24 !192.168.100.0/24
Chain OUTPUT (policy ACCEPT) target prot opt source destination
am I missing something?
It is possible that VM hypervisor (you failed to say which one) is adding iptables rules at runtime, only while VM guest is running. When you stop iptables, those rules are purged, and after the restart of iptables service it does not have necessary rules.
Compare /etc/sysconfig/iptables while all works and after you stop iptables. You can also try restarting VM guests and even VM hypervisor.