KVM guest cannot connect to host, but works vice versa

Question

I have debian 7 on my host machine and I run a KVM vm on it.

My hosts network configuration is this (the relevant parts):

br0       Link encap:Ethernet  HWaddr 68:b5:99:ae:8f:11  
          inet addr:77.244.244.123  Bcast:77.244.245.239 Mask:255.255.255.248
          inet6 addr: fe80::6ab5:99ff:feae:8f11/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:762056 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:44471912 (42.4 MiB)  TX bytes:690 (690.0 B)

eth1      Link encap:Ethernet  HWaddr 68:b5:99:ae:8f:11  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2329129 errors:0 dropped:0 overruns:0 frame:0
          TX packets:156844 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2035457148 (1.8 GiB)  TX bytes:15978289 (15.2 MiB)
          Memory:ef060000-ef07ffff 

My host's interface for internet access:

eth0      Link encap:Ethernet  HWaddr 68:b5:99:ae:8f:10  
          inet addr:146.255.255.123  Bcast:146.255.62.175  Mask:255.255.255.240
          inet6 addr: 2a02:1b8:10:68:6ab5:99ff:feae:8f10/64 Scope:Global
          inet6 addr: fe80::6ab5:99ff:feae:8f10/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19692653 errors:0 dropped:0 overruns:0 frame:0
          TX packets:46873952 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3070321406 (2.8 GiB)  TX bytes:44921402181 (41.8 GiB)
          Memory:ef000000-ef01ffff 

My host uses eth0 as Interface for internet connection, my KVM guest OS uses br0, which includes eth1. The eth0 interface is intentionally not part of the bridge.

Additional info on the bridge:

bridge name   bridge id          STP enabled  interfaces
br0           8000.68b599ae8f11  no           eth1
                                              vnet0

My host can reach the guest over the network, but my guest cannot connect to the host machine. I am sure I am missing something very simple but I could not find an answer anywhere.

Just to give as much information as possible, here is also my guests interfaces config:

eth0      Link encap:Ethernet  HWaddr 52:54:00:02:98:b7  
          inet addr:77.244.244.123  Bcast:77.244.245.239  Mask:255.255.255.248
          inet6 addr: fe80::5054:ff:fe02:98b7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:26969 errors:0 dropped:22761 overruns:0 frame:0
          TX packets:2344 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2019925 (1.9 MiB)  TX bytes:331567 (323.7 KiB)

My host has the following iptables rules (which should be completely irrelevant to the guest/host communication with each other in my opinion):

G-NET // root@net:/home/geruetzel# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68

I would appreciate any help you can give me - thanks in advance!

Answer 1

It turns out that you are using the same IP address for the host side of the bridge as for the guest. (It's impossible to see this from your question as you used xx.xx to hide part of the IP addresses; it only came out in one of the comments.)

The bridge IP address is used by the host. When a physical interface such as eth0 is added to a bridge, it must not have an IP address and should be set to promiscuous mode so that it can receive traffic for any of the IP addresses within the bridge.

The guest IP address for a bridge is defined within the guest itself as for a normal eth0 type situation.

In the same way that two devices on a network must have different IP addresses, the guest and host must have different IP addresses. To restate this explicitly: you MUST NOT have the same IP address for host and guest.

I'm impressed that your host and guest can communicate at all with this configuration; I wonder whether, when your host thought it was communicating with your guest, it was actually communicating with itself.

---

Here is a cut-down example, based on the configuration from my home network (I'm not at work right now):

Host (192.168.1.253/24)

$ brctl show brINT
bridge name     bridge id               STP enabled     interfaces
brINT           8000.009c029758d6       no              eth1
                                                        vnet1

$ ip addr show dev brINT
5: brINT: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:9c:02:97:58:d6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.253/24 brd 192.168.1.255 scope global brINT

$ ip addr show dev eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master brINT state UP qlen 1000
    link/ether 00:9c:02:97:58:d6 brd ff:ff:ff:ff:ff:ff

Guest (192.168.1.15/24)

$ ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 52:54:00:3c:75:33 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.15/24 brd 192.168.1.255 scope global eth0