On Sat, Dec 5, 2015 at 2:31 AM, Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote:
> Bridge-nf is
> enabled by default and can cause weird behaviour with NAT. Try to
> disable it :
>
> echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables
Yes, thank you! I never would have found that. Without it, the
VM->Host->VM NAT
just eats the packets.
On Mon, Dec 7, 2015 at 12:01 AM, Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote:
> You must also MASQUERADE or SNAT these packets, otherwise the reply
> packets won't be sent back to the host and be de-NATed properly
You're absolutely right. With two more rules:
iptables -t nat -I POSTROUTING -s 192.168.122.10 -d 192.168.122.10 -p
tcp -j MASQUERADE
iptables -t nat -I POSTROUTING -s 192.168.122.10 -d 192.168.122.10 -p
udp -j MASQUERADE
it works!
Gotta say, unning `echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables` in my
script makes me a little queasy... but this page suggests that no other option
will work cross-distro:
http://wiki.libvirt.org/page/Net.bridge-nf-call_and_sysctl.conf
I guess that's still the case?
Huge thanks Pascal.
- Scott
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
