Re: Host Machine and Iptables problem

Cbulist <cbulist@xxxxxxxxx> · Tue, 01 May 2012 01:45:50 -0500

On 05/01/2012 01:27 AM, Barry Brimer wrote:
>> After that I stopped the Iptables on the Host machine and I lost
>> external connectivity on my VM's.
>> The only way that I found that VM machine works again is restarting the
>> Host Machine. (Start Iptables service again on the Host didn't work)
>>
>> I'm using CentOS 6.2:  2.6.32-220.7.1.el6.x86_64
>> The host's iptables is the default, I didn't add anything.
>> Why the Iptables is stopping the connectivity of VM when I stop it?
>
> If you don't have NAT rules in your firewall .. internal VM traffic 
> that is not bridged won't get NATed and therefore can't reach the 
> parent network.
Thanks Barry,

Yes, I thought the same but my confusion is that I don't see any rules 
of PREROUTING and POSTROUTING in the /etc/sysconfig/iptables file.

[root@VS01]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 
-j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

But when I check the command iptables -L -t nat I can see the NAT rules

[root@VS01]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24    masq 
ports: 1024-65535
MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24    masq 
ports: 1024-65535
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24
MASQUERADE  tcp  --  192.168.100.0/24    !192.168.100.0/24    masq 
ports: 1024-65535
MASQUERADE  udp  --  192.168.100.0/24    !192.168.100.0/24    masq 
ports: 1024-65535
MASQUERADE  all  --  192.168.100.0/24    !192.168.100.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

am I missing something?

Thanks!

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos