Re: Public IP on virtual machine network issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 2/13/22 5:38 PM, Tom Ammon wrote:
Can you post the output of iptables -L?

By default, the bridge module in the kernel sends packets traversing the bridge to iptables (in the FORWARD chain I believe) for processing. So if you have configured a DENY policy on the FORWARD chain, or are otherwise filtering in the forward chain, you'll be affecting packets traversing the bridge. Check out this page for details on how to change this behavior: <>

That information is *very* out of date; the situation has changed quite a lot since that was written in 2014.

Filtering of packets traversing a bridge device are now only filtered if the br_netfilter module is loaded, which isn't done by default. It *is* autoloaded if certain types of iptables rules are added(I can't remember the details of the type of rule though - there was a bug in iptables a year or so ago where autoload of br_netfilter was triggered by libvirt attempting to *remove* a rule of whatever type it was).

Anyway, unless "lsmod | grep br_netfilter" shows that you have br_netfilter loaded, this entire path is a red herring (if you do have it loaded, unload it, and try to figure out why it was loaded).

(Interestingly, this is the 2nd time this particular outdated page has come up in the last week. Has something else broken somewhere that's causing people to search out this page?)


On Sun, Feb 13, 2022 at 4:08 PM Marcin Groszek <marcin@xxxxxxxxxxxx <mailto:marcin@xxxxxxxxxxxx>> wrote:

    I have been struggling with this for weeks and I was unable to find an
    answer on line. Perhaps someone here can help me.

    Oracle linux 8 running virtualization:

    hardware node has a public IP address on interface bridge0 and physical
    eno1 is a member of the bridge0

    a virtual OS has interface bridged to lan and source is bridge0, Ip
    address of virtual OS is also a public from same class as the
    hardware node.

    I can route in and out of virtual, I can ping from hardware node to
    virtual and vice versa, so the routing works as it should, sort of.

    When I try tracepath or traceroute from outside to virtual I get !H on
    last hup

    same result when I try to do the same form hardware node to virtual
    I get !H

    Also, when I telnet (TCP) to a specific port on virtual where I have a
    daemon LISTENING OR NOT I get: No route to host. Same experiment works
    just fine for ssh port.

    Firewalld is not running, and I just have very basic iptables rules
    allowing external address block to ssh to hardware node and to virtual
    dropping connections from all other sources

    This issue presented it self when I attempted to setup a galera node on
    virtual and ports 4567 is responding but 4568 and 4444 are not, but the
    daemons are running and I can clearly see lsoft showing "LISTENING"

    I capture the traffic and the tcp as well as udp are getting to the
    virtual. Is there a preconfigured netfiltering that I am not aware of?

    What am I missing?

-- Best Regards:
    Marcin Groszek
    Business Voip Resource. <>

Tom Ammon
M: (737) 400-9042
thomasammon@xxxxxxxxx <mailto:thomasammon@xxxxxxxxx>

[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux