LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-02-2013, 04:36 PM   #1
jagdip
LQ Newbie
 
Registered: Feb 2011
Posts: 29

Rep: Reputation: 0
kvm based VMs inside centos 6.4 not getting IP address


Hi,

I installed CentOS 6.4 and created couple of VMs of CentOS 6.4. Earlier both VMs were getting IP address and now eth0 of both VMs can not connect i.e. can not get IP from DHCP of host. It is fine if i flush firewall with iptables -F. I was playing with firewall and I might have screwed up something. How do i find out what rules were changed in firewall which caused it to stop communication from VMs to DHCP of host?
How do i troubleshoot? I need to have firewall on.
 
Old 05-03-2013, 08:23 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
There are no rules required for dhcp to work from the host to the guests, only for bridged connections:
Code:
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
Go through your rules one at a time and determine what they're doing, otherwise you may need to post them here.
 
Old 05-03-2013, 10:49 AM   #3
jagdip
LQ Newbie
 
Registered: Feb 2011
Posts: 29

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by kbp View Post
There are no rules required for dhcp to work from the host to the guests, only for bridged connections:
Code:
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
Go through your rules one at a time and determine what they're doing, otherwise you may need to post them here.
Thank you. I applied above rule and my VM did not get IP.
here are the rules from host
---------------------------------------------------------------------
[root@host]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
---------------------------------------------------------------------
Rules from VM
---------------------------------------------------------------------
[root@guest]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
 
Old 05-03-2013, 07:40 PM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Actually I should clarify my previous statement, you don't need to manually add any rules for libvirt/kvm dhcp - it inserts them automatically at the top of the INPUT chain so it's less likely that the firewall is the problem.

It may be that dnsmasq isn't listening on the correct interfaces for some reason, could you provide the output of the following:

Code:
ps -efwww | grep -i masq
This will give you the list of interfaces that it's listening on and the ranges it's serving, compare this to the network/interface you've connected the vm's to.

Virt-manager -> Edit -> Connection details -> Virtual Networks
 
1 members found this post helpful.
Old 05-04-2013, 09:27 AM   #5
jagdip
LQ Newbie
 
Registered: Feb 2011
Posts: 29

Original Poster
Rep: Reputation: 0
Thank you. It looks like my dnsmasq is listening

[root@maui init.d]# ps -efwww | grep -i masq
nobody 10769 1 0 Apr19 ? 00:00:02 /usr/sbin/dnsmasq --strict-order --local=// --domain-needed --pid-file=/var/run/libvirt/network/default.pid --conf-file= --ecept-interface lo --bind-interfaces --listen-address 192.168.122.1 --dhcp-range 192.168.122.2,192.168.122.254 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases --dhc-lease-max=253 --dhcp-no-override --dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
nobody 17599 1 0 Apr22 ? 00:00:02 /usr/sbin/dnsmasq --strict-order --local=// --domain-needed --pid-file=/var/run/libvirt/network/outsider.pid --conf-file= --xcept-interface lo --bind-interfaces --listen-address 192.168.100.1 --dhcp-range 192.168.100.128,192.168.100.254 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/outsider.leases -dhcp-lease-max=127 --dhcp-no-override --dhcp-hostsfile=/var/lib/libvirt/dnsmasq/outsider.hostsfile --addn-hosts=/var/lib/libvirt/dnsmasq/outsider.addnhosts
root 25967 29503 0 09:23 pts/4 00:00:00 grep -i masq

i am not sure what could be wrong. VMs get IPs when i flush firewall
 
Old 05-04-2013, 10:26 AM   #6
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
So you have 2 virtual networks - default and outsider, and dnsmasq seems to be listening. So to recheck firewall, please post the output of:
Code:
iptables -L
.. instead of:
Code:
cat /etc/sysconfig/iptables
This way we can see the dynamically added rules as well
 
Old 05-04-2013, 04:59 PM   #7
jagdip
LQ Newbie
 
Registered: Feb 2011
Posts: 29

Original Poster
Rep: Reputation: 0
[root@maui init.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-is-bridged

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
 
Old 05-04-2013, 06:53 PM   #8
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Something definitely wrong there, here's an example from my machine of the auto inserted rules that you should see:
Code:
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
There's a good troubleshooting guide for this exact issue here. Do you have firewalld enabled ?
 
Old 05-05-2013, 05:42 PM   #9
jagdip
LQ Newbie
 
Registered: Feb 2011
Posts: 29

Original Poster
Rep: Reputation: 0
Thank you. I restarted libvirtd and it inserted some relevant rules in firewall table. that fixed the issue. thank you for pointing to that guide
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Keeping size of VM file down - QEMU/KVM guest running Centos 6, inside Centos 6 host rylan76 Linux - Virtualization and Cloud 2 01-24-2013 03:22 PM
[SOLVED] Accessing services running inside Vms. xeon123 Linux - Networking 1 08-16-2012 07:45 PM
Physical host of KVM VMs with bonded interface - bridging necessary? slimjim Linux - Virtualization and Cloud 1 06-13-2012 03:08 PM
Any way to access old VMs after reinstalling KVM? shadowbox12 Linux - Virtualization and Cloud 3 03-19-2010 10:09 PM
LXer: Using Xen With LVM-Based VMs Instead Of Image-Based VMs (Debian Etch) LXer Syndicated Linux News 0 01-14-2009 08:20 PM


All times are GMT -5. The time now is 02:34 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration