On Thu, Jun 18, 2020 at 03:45:41AM +0800, Ed Greshko wrote:
On 2020-06-18 00:50, Eric Garver wrote:
> I didn't see anything odd in your configuration. Can you show the actual
rulesets?
> i.e.
>
>   # nft list ruleset
> and
> Â Â #Â iptables-save
OK....
Due the the length of the output I'll attach 2 .txt files. Hope that is acceptable.
# Generated by iptables-save v1.8.4 on Thu Jun 18 03:40:11 2020
*nat
:PREROUTING ACCEPT [42898:17141290]
:INPUT ACCEPT [3599:509438]
:OUTPUT ACCEPT [12945:1130908]
:POSTROUTING ACCEPT [12319:1005476]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports
1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports
1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
This shows the libvirt network is 192.168.122.0/24. That contradicts
what you said in your original email.
"I have 3 systems. 2 HW, 1VM. The 2 HW systems are connected via
Wifi. Below the VM is on the right.
192.168.122.152<---->192.168.122.1/192.168.2.127<---->192.168.2.116"
Knowing this and..
[..]
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
..this bit. It's not a surprised you're getting ICMP unreachable.
libvirt's rules are rejecting the packet. The only reason it works after
you disable firewalld is because firewalld flushes the iptables ruleset
on shutdown. I bet if you stop firewalld, then restart libvirt it still
will _not_ work.
I think in the end you need to setup port forwarding for SSH inside
libvirt's configuration.
[..]