On 2020-06-18 04:32, Eric Garver wrote:
On Thu, Jun 18, 2020 at 03:45:41AM +0800, Ed Greshko wrote:
> On 2020-06-18 00:50, Eric Garver wrote:
>> I didn't see anything odd in your configuration. Can you show the actual
rulesets?
>> i.e.
>>
>>   # nft list ruleset
>> and
>> Â Â #Â iptables-save
>
> OK....
>
> Due the the length of the output I'll attach 2 .txt files. Hope that is
acceptable.
>
>
> # Generated by iptables-save v1.8.4 on Thu Jun 18 03:40:11 2020
> *nat
> :PREROUTING ACCEPT [42898:17141290]
> :INPUT ACCEPT [3599:509438]
> :OUTPUT ACCEPT [12945:1130908]
> :POSTROUTING ACCEPT [12319:1005476]
> :LIBVIRT_PRT - [0:0]
> -A POSTROUTING -j LIBVIRT_PRT
> -A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
> -A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
> -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE
--to-ports 1024-65535
> -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE
--to-ports 1024-65535
> -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
This shows the libvirt network is 192.168.122.0/24. That contradicts what you said in
your original email.
Well, I got my directions wrong.
The VM is on the left. The Wifi connected system is on the right.
"I have 3 systems. 2 HW, 1VM. The 2 HW systems are connected via Wifi.
Below the VM is on the right.
192.168.122.152<---->192.168.122.1/192.168.2.127<---->192.168.2.116"
Knowing this and..
Does that change anything?
[..]
> -A FORWARD -j LIBVIRT_FWI
> -A FORWARD -j LIBVIRT_FWO
> -A OUTPUT -j LIBVIRT_OUT
> -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
> -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
..this bit. It's not a surprised you're getting ICMP unreachable. libvirt's
rules are rejecting the packet. The only reason it works after you disable firewalld is
because firewalld flushes the iptables ruleset on shutdown. I bet if you stop firewalld,
then restart libvirt it still will _not_ work.
I think in the end you need to setup port forwarding for SSH inside libvirt's
configuration.
Even that wouldn't explain why, with the middle system 3 interfaces being
192.168.122.1/192.168.1.18/192.168.2.127 I can't ssh to 192.168.1.142 from 2.116 with
the FW up.