On 05/01/2012 08:45 AM, Cbulist wrote: > On 05/01/2012 01:27 AM, Barry Brimer wrote: >>> After that I stopped the Iptables on the Host machine and I lost >>> external connectivity on my VM's. >>> The only way that I found that VM machine works again is restarting the >>> Host Machine. (Start Iptables service again on the Host didn't work) >>> >>> I'm using CentOS 6.2: 2.6.32-220.7.1.el6.x86_64 >>> The host's iptables is the default, I didn't add anything. >>> Why the Iptables is stopping the connectivity of VM when I stop it? >> >> If you don't have NAT rules in your firewall .. internal VM traffic >> that is not bridged won't get NATed and therefore can't reach the >> parent network. > Thanks Barry, > > Yes, I thought the same but my confusion is that I don't see any rules > of PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file. > > [root at VS01]# cat /etc/sysconfig/iptables > # Firewall configuration written by system-config-firewall > # Manual customization of this file is not recommended. > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 > -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT > -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT > -A INPUT -j REJECT --reject-with icmp-host-prohibited > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > COMMIT > > > But when I check the command iptables -L -t nat I can see the NAT rules > > [root at VS01]# iptables -L -t nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq > ports: 1024-65535 > MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq > ports: 1024-65535 > MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24 > MASQUERADE tcp -- 192.168.100.0/24 !192.168.100.0/24 masq > ports: 1024-65535 > MASQUERADE udp -- 192.168.100.0/24 !192.168.100.0/24 masq > ports: 1024-65535 > MASQUERADE all -- 192.168.100.0/24 !192.168.100.0/24 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > am I missing something? > It is possible that VM hypervisor (you failed to say which one) is adding iptables rules at runtime, only while VM guest is running. When you stop iptables, those rules are purged, and after the restart of iptables service it does not have necessary rules. Compare /etc/sysconfig/iptables while all works and after you stop iptables. You can also try restarting VM guests and even VM hypervisor. -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant