I am running libvirt/qemu-kvm on Fedora32, guest OS is win10 with spice-guest-tool in use.
I use 'nat' mode virtual networking.
root@fedora ~]# virsh net-dumpxml default
<network connections='1'>
<name>default</name>
<uuid>36ca4070-160a-47bf-b35e-aa7bee028ec1</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:e1:1e:c3'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
While guest is running, 'brctl show' seems fine.
[root@fedora ~]# brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.525400e11ec3 yes virbr0-nic
vnet0
On host I can ping guest by its ip (192.168.122.159).
On guest, I can access internet, also can ssh to my host, but failed to access samba and ftp on my host.
For example, I type 'net view \192.168.122.1' on guest, host 'tcpdump -i vnet0' shows:
15:47:39.041395 IP 192.168.122.159.49717 > fedora.bear.microsoft-ds: Flags [S], seq 160880283, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:47:39.041526 IP fedora.bear > 192.168.122.159: ICMP fedora.bear tcp port microsoft-ds unreachable, length 60
And 'net view' eventually reports 'System error 53: network path not found'. I also checked 'iptables -L -v' (too verbose to paste here), no one got 'REJECT'ed.
In case of 'ftp', it is similar to 'samba'.
15:54:13.232366 IP 192.168.122.159.49721 > fedora.bear.ftp: Flags [S], seq 669575524, win 8192, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
15:54:13.232468 IP fedora.bear > 192.168.122.159: ICMP fedora.bear tcp port ftp unreachable, length 60
It seems that host can not send package back to guest.
Am I missing something? What could be the cause? Thanks.
================= some further information ==========================
I can samba to my host from other machine in same lan. I also built a CentOS guest, and can ssh from host to CentOS guest. But while I tried to 'sbmclient' or 'ftp' from CentOS guest to host, I got same tcpdump output and failed. I am sure on both guest, firewall are turned off.
I checked 'iptables -L -nv ' and 'iptables -L -nv -t nat' on host, no packet got 'REJECT'ed or 'DROP'ed.
They looks like this:
# iptables -L -nv
Chain INPUT (policy ACCEPT 44448 packets, 26M bytes)
pkts bytes target prot opt in out source destination
56062 39M LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
19164 23M LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0
19164 23M LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0
9254 1076K LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 16104 packets, 2140K bytes)
pkts bytes target prot opt in out source destination
24639 3195K LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_FWI (1 references)
pkts bytes target prot opt in out source destination
9910 22M ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWO (1 references)
pkts bytes target prot opt in out source destination
9254 1076K ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_INP (1 references)
pkts bytes target prot opt in out source destination
84 5753 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
7 2356 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain LIBVIRT_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
7 2335 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
and
# iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 3487 packets, 3421K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 2495 packets, 3341K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 238 packets, 27046 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 227 packets, 24846 bytes)
pkts bytes target prot opt in out source destination
1560 169K LIBVIRT_PRT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_PRT (1 references)
pkts bytes target prot opt in out source destination
9 1010 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
84 4472 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
144 14416 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
