While pinging to 4.2.2.2 with my VM and watching the tcpdump on both the virtual bridge (virbr0) and the ethernet card (enp0s7) on my physical machine, it goes to the 4.2.2.2 server and back to my ethernet card but doesn't make it to the virtual bridge. So I'm thinking it must be the firewall in the host computer. However, when I disable the firewall using "systemctl stop firewalld.service" there no internet on my VM whatsoever (not even for the 10 seconds after I turn the wired connection in the VM back on). It's like something on my physical computer is disabling my VM's connection, but then something else in the firewall overrides that temporarily.
I also tried disabling the NetworkManager service and enabling the older Network service on both the VM and host, but, like above, I go from a little bit of internet to none.
Physical/Host Computer
IP forwarding is enabled:
Code: Select all
# cat /etc/sysctl.conf
net.ipv4.ip_forward = 1
Code: Select all
# ifconfig
enp0s7: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.212 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::aaab:745d:e3bd:4a77 prefixlen 64 scopeid 0x20<link>
ether 70:71:bc:f6:b5:26 txqueuelen 1000 (Ethernet)
RX packets 5466 bytes 2148224 (2.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 5
TX packets 5230 bytes 457100 (446.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 84 bytes 8148 (7.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 84 bytes 8148 (7.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:80:40:cb txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255
ether 52:54:00:e5:1c:04 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Wired connection configuration:
Code: Select all
HWADDR=70:71:BC:F6:B5:26
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME="Wired connection 1"
UUID=05b47c33-3848-30c3-aae6-9ed92b024d57
ONBOOT=yes
AUTOCONNECT_PRIORITY=-999
Code: Select all
STP=yes
DELAY=2
BRIDGING_OPTS=priority=32768
TYPE=Bridge
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
IPADDR=192.168.122.1
PREFIX=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV4_DNS_PRIORITY=100
IPV6INIT=no
NAME=virbr0
UUID=80bd969b-d4f5-4312-8cc4-21c385f2887b
DEVICE=virbr0
ONBOOT=no
ZONE=
Bridge information:
Code: Select all
# brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.5254008040cb yes virbr0-nic
vnet0
virbr1 8000.525400e51c04 yes virbr1-nic
MAC addresses for virbr0:
Code: Select all
# brctl showmacs virbr0
port no mac addr is local? ageing timer
1 52:54:00:80:40:cb yes 0.00
1 52:54:00:80:40:cb yes 0.00
2 fe:54:00:9d:ee:a7 yes 0.00
2 fe:54:00:9d:ee:a7 yes 0.00
Code: Select all
# brctl showstp virbr0
virbr0
bridge id 8000.5254008040cb
designated root 8000.5254008040cb
root port 0 path cost 0
max age 20.00 bridge max age 20.00
hello time 2.00 bridge hello time 2.00
forward delay 2.00 bridge forward delay 2.00
ageing time 300.00
hello timer 1.12 tcn timer 0.00
topology change timer 0.00 gc timer 267.13
flags
virbr0-nic (1)
port id 8001 state disabled
designated root 8000.5254008040cb path cost 100
designated bridge 8000.5254008040cb message age timer 0.00
designated port 8001 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
vnet0 (2)
port id 8002 state forwarding
designated root 8000.5254008040cb path cost 100
designated bridge 8000.5254008040cb message age timer 0.00
designated port 8002 forward delay timer 0.00
designated cost 0 hold timer 0.12
flags
Code: Select all
# virsh net-list
Name State Autostart Persistent
----------------------------------------------------------
default active yes yes
outsider active yes yes
dmesg has some interesting messages like:
Code: Select all
[ 523.517552] tun: Universal TUN/TAP device driver, 1.6
[ 523.517557] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[ 523.521060] virbr1: port 1(virbr1-nic) entered blocking state
[ 523.521064] virbr1: port 1(virbr1-nic) entered disabled state
[ 523.521118] device virbr1-nic entered promiscuous mode
[ 523.735787] virbr1: port 1(virbr1-nic) entered blocking state
[ 523.735793] virbr1: port 1(virbr1-nic) entered listening state
[ 523.735842] IPv6: ADDRCONF(NETDEV_UP): virbr1: link is not ready
[ 523.853801] virbr1: port 1(virbr1-nic) entered disabled state
[ 523.868913] virbr0: port 1(virbr0-nic) entered blocking state
[ 523.868919] virbr0: port 1(virbr0-nic) entered disabled state
[ 523.868964] device virbr0-nic entered promiscuous mode
[ 523.965444] FINAL_REJECT: IN=virbr1 OUT= MAC= SRC=192.168.100.1 DST=224.0.0.251 LEN=227 TOS=0x00 PREC=0x00 TTL=255 ID=2713 DF PROTO=UDP SPT=5353 DPT=5353 LEN=207
[ 524.005920] FINAL_REJECT: IN=virbr1 OUT= MAC= SRC=192.168.100.1 DST=224.0.0.251 LEN=140 TOS=0x00 PREC=0x00 TTL=255 ID=2722 DF PROTO=UDP SPT=5353 DPT=5353 LEN=120
[ 524.104607] virbr0: port 1(virbr0-nic) entered blocking state
[ 524.104613] virbr0: port 1(virbr0-nic) entered listening state
[ 524.104662] IPv6: ADDRCONF(NETDEV_UP): virbr0: link is not ready
[ 524.208585] virbr0: port 1(virbr0-nic) entered disabled state
[ 524.215317] FINAL_REJECT: IN=virbr1 OUT= MAC= SRC=192.168.100.1 DST=224.0.0.251 LEN=227 TOS=0x00 PREC=0x00 TTL=255 ID=2842 DF PROTO=UDP SPT=5353 DPT=5353 LEN=207
[ 524.332619] FINAL_REJECT: IN=virbr0 OUT= MAC= SRC=192.168.122.1 DST=224.0.0.251 LEN=227 TOS=0x00 PREC=0x00 TTL=255 ID=36638 DF PROTO=UDP SPT=5353 DPT=5353 LEN=207
[ 524.372974] FINAL_REJECT: IN=virbr0 OUT= MAC= SRC=192.168.122.1 DST=224.0.0.251 LEN=140 TOS=0x00 PREC=0x00 TTL=255 ID=36646 DF PROTO=UDP SPT=5353 DPT=5353 LEN=120
[ 524.465874] FINAL_REJECT: IN=virbr1 OUT= MAC= SRC=192.168.100.1 DST=224.0.0.251 LEN=227 TOS=0x00 PREC=0x00 TTL=255 ID=3022 DF PROTO=UDP SPT=5353 DPT=5353 LEN=207
[ 524.583752] FINAL_REJECT: IN=virbr0 OUT= MAC= SRC=192.168.122.1 DST=224.0.0.251 LEN=227 TOS=0x00 PREC=0x00 TTL=255 ID=36709 DF PROTO=UDP SPT=5353 DPT=5353 LEN=207
[ 524.644295] FINAL_REJECT: IN=enp0s7 OUT= MAC= SRC=192.168.1.212 DST=224.0.0.251 LEN=343 TOS=0x00 PREC=0x00 TTL=255 ID=46916 DF PROTO=UDP SPT=5353 DPT=5353 LEN=323
Code: Select all
# ebtables -L
Bridge table: filter
Bridge chain: INPUT, entries: 1, policy: ACCEPT
-j INPUT_direct
Bridge chain: FORWARD, entries: 1, policy: ACCEPT
-j FORWARD_direct
Bridge chain: OUTPUT, entries: 1, policy: ACCEPT
-j OUTPUT_direct
Bridge chain: INPUT_direct, entries: 0, policy: RETURN
Bridge chain: OUTPUT_direct, entries: 0, policy: RETURN
Bridge chain: FORWARD_direct, entries: 0, policy: RETURN
Code: Select all
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
LOG all -- anywhere anywhere ctstate INVALID LOG level warning prefix "STATE_INVALID_DROP: "
DROP all -- anywhere anywhere ctstate INVALID
LOG all -- anywhere anywhere LOG level warning prefix "FINAL_REJECT: "
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere 192.168.100.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.100.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
LOG all -- anywhere anywhere ctstate INVALID LOG level warning prefix "STATE_INVALID_DROP: "
DROP all -- anywhere anywhere ctstate INVALID
LOG all -- anywhere anywhere LOG level warning prefix "FINAL_REJECT: "
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
FWDI_trusted all -- anywhere anywhere
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
FWDO_trusted all -- anywhere anywhere
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDI_trusted (1 references)
target prot opt source destination
FWDI_trusted_log all -- anywhere anywhere
FWDI_trusted_deny all -- anywhere anywhere
FWDI_trusted_allow all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FWDI_trusted_allow (1 references)
target prot opt source destination
Chain FWDI_trusted_deny (1 references)
target prot opt source destination
Chain FWDI_trusted_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain FWDO_trusted (1 references)
target prot opt source destination
FWDO_trusted_log all -- anywhere anywhere
FWDO_trusted_deny all -- anywhere anywhere
FWDO_trusted_allow all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FWDO_trusted_allow (1 references)
target prot opt source destination
Chain FWDO_trusted_deny (1 references)
target prot opt source destination
Chain FWDO_trusted_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
IN_trusted all -- anywhere anywhere
IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:bootps ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:domain ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain IN_trusted (1 references)
target prot opt source destination
IN_trusted_log all -- anywhere anywhere
IN_trusted_deny all -- anywhere anywhere
IN_trusted_allow all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain IN_trusted_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:domain ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:bootps ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:domain ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:bootpc ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:bootps ctstate NEW
ACCEPT icmp -- anywhere anywhere ctstate NEW
Chain IN_trusted_deny (1 references)
target prot opt source destination
Chain IN_trusted_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
Virtual Machine
Code: Select all
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.122.45 netmask 255.255.255.0 broadcast 192.168.122.255
inet6 fe80::d696:f1fa:496:35a prefixlen 64 scopeid 0x20<link>
ether 52:54:00:9d:ee:a7 txqueuelen 1000 (Ethernet)
RX packets 230 bytes 16628 (16.2 KiB)
RX errors 0 dropped 36 overruns 0 frame 0
TX packets 391 bytes 36373 (35.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 182 bytes 14968 (14.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 182 bytes 14968 (14.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:b6:18:da txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Code: Select all
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=eth0
UUID=47f56cd7-62d6-47c0-b87a-54a7e87d3893
DEVICE=eth0
ONBOOT=yes
IPV6_PRIVACY=no
DNS1=8.8.8.8
DNS2=4.2.2.2
A few other notes:
Tried my virtual machine in both static and automatic (DHCP) IP mode. Same results. I've also tried 8.8.8.8, 4.2.2.2, entering the virtual router's IP address (192.168.122.1), and leaving it blank for my DNS servers.
I'm on an older computer, so to get my ethernet card to work I had to install the kmod-forcedeth-0.64-3.el7_5.elrepo.x86_64.rpm package.
When I enable or disable the firewall, it seems to enable and disable both the ip tables and the eb tables. Other than standing for ethernet bridge tables, I'm not too familiar with eb tables.