[CentOS] Host Machine and Iptables problem

Tue May 1 09:45:42 UTC 2012
Ljubomir Ljubojevic <office at plnet.rs>

On 05/01/2012 08:45 AM, Cbulist wrote:
> On 05/01/2012 01:27 AM, Barry Brimer wrote:
>>> After that I stopped the Iptables on the Host machine and I lost
>>> external connectivity on my VM's.
>>> The only way that I found that VM machine works again is restarting the
>>> Host Machine. (Start Iptables service again on the Host didn't work)
>>>
>>> I'm using CentOS 6.2:  2.6.32-220.7.1.el6.x86_64
>>> The host's iptables is the default, I didn't add anything.
>>> Why the Iptables is stopping the connectivity of VM when I stop it?
>>
>> If you don't have NAT rules in your firewall .. internal VM traffic
>> that is not bridged won't get NATed and therefore can't reach the
>> parent network.
> Thanks Barry,
>
> Yes, I thought the same but my confusion is that I don't see any rules
> of PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file.
>
> [root at VS01]# cat /etc/sysconfig/iptables
> # Firewall configuration written by system-config-firewall
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251
> -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT
> -A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
>
> But when I check the command iptables -L -t nat I can see the NAT rules
>
> [root at VS01]# iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24    masq
> ports: 1024-65535
> MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24    masq
> ports: 1024-65535
> MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24
> MASQUERADE  tcp  --  192.168.100.0/24    !192.168.100.0/24    masq
> ports: 1024-65535
> MASQUERADE  udp  --  192.168.100.0/24    !192.168.100.0/24    masq
> ports: 1024-65535
> MASQUERADE  all  --  192.168.100.0/24    !192.168.100.0/24
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> am I missing something?
>

It is possible that VM hypervisor (you failed to say which one) is 
adding iptables rules at runtime, only while VM guest is running. When 
you stop iptables, those rules are purged, and after the restart of 
iptables service it does not have necessary rules.

Compare /etc/sysconfig/iptables while all works and after you stop iptables.
You can also try restarting VM guests and even VM hypervisor.


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant