On 05/01/2012 01:27 AM, Barry Brimer wrote:
After that I stopped the Iptables on the Host machine and I lost external connectivity on my VM's. The only way that I found that VM machine works again is restarting the Host Machine. (Start Iptables service again on the Host didn't work)
I'm using CentOS 6.2: 2.6.32-220.7.1.el6.x86_64 The host's iptables is the default, I didn't add anything. Why the Iptables is stopping the connectivity of VM when I stop it?
If you don't have NAT rules in your firewall .. internal VM traffic that is not bridged won't get NATed and therefore can't reach the parent network.
Thanks Barry,
Yes, I thought the same but my confusion is that I don't see any rules of PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file.
[root@VS01]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
But when I check the command iptables -L -t nat I can see the NAT rules
[root@VS01]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination
Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24 MASQUERADE tcp -- 192.168.100.0/24 !192.168.100.0/24 masq ports: 1024-65535 MASQUERADE udp -- 192.168.100.0/24 !192.168.100.0/24 masq ports: 1024-65535 MASQUERADE all -- 192.168.100.0/24 !192.168.100.0/24
Chain OUTPUT (policy ACCEPT) target prot opt source destination
am I missing something?
Thanks!