LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-02-2013, 10:16 AM   #1
irreverentryan
Member
 
Registered: Jan 2013
Posts: 32

Rep: Reputation: Disabled
Smile RHEVM SPICE console not working on one subnet


Hi all,

I've got a RHEVM 3.0 machine running RHEL6. I have it set up with two interfaces, em1 (facing the rhev network) and em2 (facing our company's network, or for all intents and purposes, the outside world.)

The interfaces are configured as follows:
Code:
DEVICE=em1
BOOTPROTO=none
IPADDR=192.168.10.100
NETMASK=255.255.255.0
NETWORK=192.168.10.0
HWADDR=00:21:9b:a7:40:4c
NM_CONTROLLED=no
ONBOOT=yes
TYPE=Ethernet
UUID="1331ac7b-3faa-4dcc-a3ba-61c0f75fce60"
DHCP_HOSTNAME=rhevm-01.MMC.DOMAIN
DNS2=192.168.1.150
GATEWAY=192.168.1.16
DNS1=192.168.1.39
IPV6INIT=no
USERCTL=no
Code:
DEVICE=em2
BOOTPROTO=none
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Ethernet
UUID="3b68f8f2-88b5-40e4-a62f-cf778232eef3"
HWADDR=00:21:9b:a7:40:4e
IPADDR=192.168.1.16
PREFIX=24
GATEWAY=192.168.1.244
DNS1=192.168.1.39
DNS2=192.168.1.150
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System em2"
NETMASK=255.255.255.0
USERCTL=no
As far as routing internet traffic, all nodes on the 192.168.10.0/24 network are able to access google, facebook, etc.

I am also able to VNC into the RHEVM machine from the 192.168.1.0/24 network. I am able to access the RHEVM web interface from both networks, but when I access it from 192.168.1.0?24, I am unable to run the VM consoles. All I have to do is switch which subnet I'm on and I am immediately able to access this feature. I am assuming it is a firewall issue, but I am pretty inexperiences with iptables commands. My current iptables config is as follows:

Code:
#Custom Firewall
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o em2 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]

#IP Forwarding
-A FORWARD -i em2 -o em1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i em1 -o em2 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

-A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
COMMIT
Is there a quick and dirty way to make this machine allow any any to and from both networks? Or can I just add a line to allow spice?

Thanks!

-Ryan
 
Old 01-03-2013, 07:40 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
You can take the gateway out of em1 for a start, the host shouldn't have itself as a next hop. It's probably the MASQUERADE line that's causing trouble, try removing it.
 
1 members found this post helpful.
Old 01-04-2013, 09:30 AM   #3
irreverentryan
Member
 
Registered: Jan 2013
Posts: 32

Original Poster
Rep: Reputation: Disabled
Hi kbp,

Thank so much for the reply. I commented out the MASQUERADE line, and I was then able to access the spice console from both networks, however I lost the ability to access the internet from the internal network. I also removed the default gateway from the em1 configuration.

I can keep the default gateway out of the mix, as it seems to not have made any difference, however the MASQUERADE line seems to be necessary for internet communication. Any thoughts on an additional MASQUERADE line, or additional arguments for that command that would allow both internet access and access to the spice console from both networks?

Thanks again

-Ryan
 
Old 01-04-2013, 10:44 PM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
Assuming the next hop (192.168.1.244) is your firewall/internet router, it will need a static route added for 192.168.10.0/24 via 192.168.1.16.

Previously the masquerade was NATing the 192.168.10.0 network traffic to the 192.168.1.16 interface so return traffic knew how to get back.

Last edited by kbp; 01-04-2013 at 10:46 PM.
 
1 members found this post helpful.
Old 01-07-2013, 11:19 AM   #5
irreverentryan
Member
 
Registered: Jan 2013
Posts: 32

Original Poster
Rep: Reputation: Disabled
Adding a default route from my client computer to the RHEVM machine worked, thank you!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Control Virtual Machine through Spice console disconnect00 Linux - Virtualization and Cloud 4 05-16-2012 07:37 AM
Rhevm 3.0 chandhokshashank Linux - Virtualization and Cloud 8 02-08-2012 08:37 AM
LXer: Qemu-kvm 1.0 & Spice-protocol 0.10.1 & Spice-Gtk 0.8 USB Redirection on Ubuntu Precise LXer Syndicated Linux News 0 01-19-2012 03:00 PM
LXer: Qemu-kvm 1.0 & Spice 0.10 & Spice-Gtk 0.7.159 & Libusb 1.0.9-rc3 (official) for Ubuntu Precise LXer Syndicated Linux News 0 12-27-2011 02:50 PM
LXer: Qemu-kvm 1.0 & Spice 0.10.0 & Spice-Gtk-0.7.81 USB redirection for Ubuntu Precise and Oneiric LXer Syndicated Linux News 0 11-30-2011 08:30 PM


All times are GMT -5. The time now is 02:25 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration