[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] SuSEfirewall2 und libvirt/kvm

Hi Christian,

I didn't fully understand your setup, so let me repeat what it looks
to me right now.

VM: (fw0) \
                            + (br0) <--> GW: <--> Internet?
KVM-Host: (eth0)/

Your gateway knows that is reachable inside the internal network
and forwards all traffic to it. So if someone from the Internet sends a
ping to it gets accepted from your gateway and routed.

On the other hand a ping from to the internet is not working,
right? So obviously something gets blocked in your iptables setup.

The reason why your ping to the outside world is working when you turn
off and on the firewall of the KVM host is simple. The connection
tracking is still in place and allows the forward of the ICMP packages
after the firewall has started.

From my experience the best way to find out which rule is missing to
accept the outgoing packages is by modifying the iptables rules
manually. Just save the iptables-save output and edit it.

#> iptables-save > firewall.tmp

#> iptables-restore < firewall.tmp

Usually the OUTPUT policy is set to ACCEPT. So I'm a bit confused why
the outgoing connection has problems.

A simple way to analyse this issue is by adding some LOG rules to the
end of your iptables setup.

-A OUTPUT -s -p icmp -j LOG --log-prefix "TROUBLESHOOTING: "

After you identified which rule is missing you can do some
SuSEfirewall2 modifications to add that rule.


On Mon, Jun 13, 2016 at 01:45:23PM +0200, Christian wrote:
> Hi,
> having a problem and hope someone can help ...
> All IPs are just examples
> Having a Server (Host) (IP:, GW on which I use KVM
> i.c.w libvirt. So far everything is working ...
> The physical interface 'eth0' is bound to 'br0'.
> Now I have a VM, which also has an 'official IP' (e.g., GW:
> The VM has an 'allowed' MAC, for using in 'bridged' mode ...
> so far everything works, from outside. I am able to ping VM (
> from outside.
> SuSEfirewall2 is active on Host, on VM not yet ...
> finally I am not able to ping to outside on VM.
> If firewall on 'Host' is OFF and I start pinging on VM to outside, the
> ping works ... Even if I start the firewall on 'Host' the ping continues.
> But if I stop ping and start again the ping does not work anymore
> Sadly there are no DROPS in the LOG. It also does not matter if
> I tried to experiment a bit (added new vars ... functions)
> FW_DEV_EXT_PHYS="eth0"
> FW_DEV_VM_PHYS="fw0"
> allow_ext_to_bridge()
> {
>     local iptables
>     case "${FW_FORWARD_EXT_TO_BRIDGED_VM}" in
>         yes) ;;
>         no)  return ;;
>     esac
>     for iptables in "$IPTABLES" "$IP6TABLES"; do
>         $iptables -A FORWARD -m physdev --physdev-in
> "${FW_DEV_EXT_PHYS}" --physdev-out "${FW_DEV_VM_PHYS}" -j ACCEPT
>         $iptables -A FORWARD -m physdev --physdev-in "${FW_DEV_VM_PHYS}"
> --physdev-out "${FW_DEV_EXT_PHYS}" -j ACCEPT
>     done
> }
> an iptables.save will show my stuff like the following
> ---snip---
> -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu
> -A FORWARD -m physdev --physdev-in eth0 --physdev-out fw0 -j ACCEPT
> -A FORWARD -m physdev --physdev-in fw0 --physdev-out eth0 -j ACCEPT
> -A FORWARD -i br0 -j forward_ext
> ---snip---
> hopefully someone can push me into the right direction ...
> Thank you
> -- 
> Christian
> ----------------------------------------------------
>    - Please do not 'CC' me on list mails.
>           Just reply to the list :)
> ----------------------------------------------------
> Der ultimative shop für Sportbekleidung und Zubehör
> http://www.sc24.de
> ----------------------------------------------------
> -- 
> To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
> To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

Alexander Bergmann <abergmann@xxxxxxxx>, Security Engineer, GPG:9FFA4886
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

Attachment: signature.asc
Description: Digital signature