0

Using virt-manager, KVM on Ubuntu, I created a VM with default network configuration (NAT) as described here: https://wiki.libvirt.org/page/VirtualNetworking under NAT mode.

which should have internet connectivity by default. But I am unable to ping internet addresses from the VM. instead, I am getting destination port unreachable from the corresponding host interface

ping results

I am suspecting it is something to do with iptables 'reject-with icmp-port unreachable' configurations in the forwarding table below. The rules were atomatically created by virt manager, but even when I remove the rules, I still get the same problem. any ideas please

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             192.168.150.0/24     ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  192.168.150.0/24     anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
5    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
6    ACCEPT     all  --  anywhere             192.168.100.0/24     ctstate RELATED,ESTABLISHED
7    ACCEPT     all  --  192.168.100.0/24     anywhere            
8    ACCEPT     all  --  anywhere             anywhere            
9    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
10   REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
11   ACCEPT     all  --  anywhere             anywhere            
12   ACCEPT     all  --  anywhere             anywhere            
13   ACCEPT     all  --  anywhere             anywhere            
14   DOCKER-USER  all  --  anywhere             anywhere            
15   DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
16   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
17   DOCKER     all  --  anywhere             anywhere            
18   ACCEPT     all  --  anywhere             anywhere            
19   ACCEPT     all  --  anywhere             anywhere

and NAT rules 

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    RETURN     all  --  192.168.150.0/24     base-address.mcast.net/24 
2    RETURN     all  --  192.168.150.0/24     255.255.255.255     
3    MASQUERADE  tcp  --  192.168.150.0/24    !192.168.150.0/24     masq ports: 1024-65535
4    MASQUERADE  udp  --  192.168.150.0/24    !192.168.150.0/24     masq ports: 1024-65535
5    MASQUERADE  all  --  192.168.150.0/24    !192.168.150.0/24    
6    RETURN     all  --  192.168.100.0/24     base-address.mcast.net/24 
7    RETURN     all  --  192.168.100.0/24     255.255.255.255     
8    MASQUERADE  tcp  --  192.168.100.0/24    !192.168.100.0/24     masq ports: 1024-65535
9    MASQUERADE  udp  --  192.168.100.0/24    !192.168.100.0/24     masq ports: 1024-65535
10   MASQUERADE  all  --  192.168.100.0/24    !192.168.100.0/24    
11   MASQUERADE  all  --  172.17.0.0/16        anywhere            
12   MASQUERADE  all  --  192.168.122.0/24     anywhere            
13   MASQUERADE  all  --  192.168.223.0/24     anywhere

Thanks,

Oluwamayowa
  • 391
  • 3
  • 4
  • The default stuff doesn't create a VM which is on your LAN. You need to create a bridge network interface in your host and then get your VM to use it instead of the default stuff. I do not use netplan, and so only know how to do this the "old" way. See [here](https://askubuntu.com/questions/641903/setting-up-bridged-networking-with-kvm/642009#642009) and [here](https://askubuntu.com/questions/638162/kvm-network-bridge-to-assign-static-ip). – Doug Smythies Feb 08 '20 at 16:45
  • The default iptables listings are actually incomplete, not including network interface information. To determine the actual differences between some your REJECT rules we would need to see the outputs for `sudo iptables -v -x -n -L` and `sudo iptables -t nat -v -x -n -L`. – Doug Smythies Feb 08 '20 at 16:54

0 Answers0