Hi,

I installed CentOS 6.4 and created couple of VMs of CentOS 6.4. Earlier both VMs were getting IP address and now eth0 of both VMs can not connect i.e. can not get IP from DHCP of host. It is fine if i flush firewall with iptables -F. I was playing with firewall and I might have screwed up something. How do i find out what rules were changed in firewall which caused it to stop communication from VMs to DHCP of host?
How do i troubleshoot? I need to have firewall on.

There are no rules required for dhcp to work from the host to the guests, only for bridged connections:
Go through your rules one at a time and determine what they're doing, otherwise you may need to post them here.

Thank you. I applied above rule and my VM did not get IP.
here are the rules from host
---------------------------------------------------------------------
[root@host]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
---------------------------------------------------------------------
Rules from VM
---------------------------------------------------------------------
[root@guest]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Actually I should clarify my previous statement, you don't need to manually add any rules for libvirt/kvm dhcp - it inserts them automatically at the top of the INPUT chain so it's less likely that the firewall is the problem.

It may be that dnsmasq isn't listening on the correct interfaces for some reason, could you provide the output of the following:

This will give you the list of interfaces that it's listening on and the ranges it's serving, compare this to the network/interface you've connected the vm's to.

Virt-manager -> Edit -> Connection details -> Virtual Networks

1 members found this post helpful.

Thank you. It looks like my dnsmasq is listening

[root@maui init.d]# ps -efwww | grep -i masq
nobody 10769 1 0 Apr19 ? 00:00:02 /usr/sbin/dnsmasq --strict-order --local=// --domain-needed --pid-file=/var/run/libvirt/network/default.pid --conf-file= --ecept-interface lo --bind-interfaces --listen-address 192.168.122.1 --dhcp-range 192.168.122.2,192.168.122.254 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases --dhc-lease-max=253 --dhcp-no-override --dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
nobody 17599 1 0 Apr22 ? 00:00:02 /usr/sbin/dnsmasq --strict-order --local=// --domain-needed --pid-file=/var/run/libvirt/network/outsider.pid --conf-file= --xcept-interface lo --bind-interfaces --listen-address 192.168.100.1 --dhcp-range 192.168.100.128,192.168.100.254 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/outsider.leases -dhcp-lease-max=127 --dhcp-no-override --dhcp-hostsfile=/var/lib/libvirt/dnsmasq/outsider.hostsfile --addn-hosts=/var/lib/libvirt/dnsmasq/outsider.addnhosts
root 25967 29503 0 09:23 pts/4 00:00:00 grep -i masq

i am not sure what could be wrong. VMs get IPs when i flush firewall

So you have 2 virtual networks - default and outsider, and dnsmasq seems to be listening. So to recheck firewall, please post the output of:
.. instead of:
This way we can see the dynamically added rules as well

[root@maui init.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-is-bridged

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Something definitely wrong there, here's an example from my machine of the auto inserted rules that you should see:
There's a good troubleshooting guide for this exact issue here. Do you have firewalld enabled ?

Thank you. I restarted libvirtd and it inserted some relevant rules in firewall table. that fixed the issue. thank you for pointing to that guide