LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-29-2017, 08:24 AM   #1
farenheitcx
LQ Newbie
 
Registered: Nov 2011
Posts: 10

Rep: Reputation: Disabled
Red face Delay on network with iptables rules on kvm hypervizor with routed vms


I'm having a troubble making this rules to work properly on Debian Jessie with iptables. The kvm host have 2 networks, one with ip range 192.168.3.0/28 (routed, virbr10) and 192.168.1.0/24 (bridge, br0). I'm following this guide on Jamie Linux website

**Problem 1**: Can connect to hypervizor via ssh, but in shortly time the connection lost after 5 minutes and have to reconnect. This happend after change the iptables rules.

**Problem 2**: Delay when trying to connect on Windows Server 2012 R2 (on Win2k8 R2 same problem) to shared folders, 10 maybe 20 seconds with delay, and sometimes the connection to this folders can extend the time waiting to connect. If I make a succesfull conection to the folder and came back to the same folder, can connect directly without problem, but when I go to other folder in the same location, the trouble with delay appears again.

I suspect that am loosing some rules on the iptables or make a simple mistake or I has missed up some performance configuration.

**Here iptables rules set:**

Code:
# Generated by iptables-save v1.6.0 on Thu Dec 21 23:41:52 2017
    *nat
    :PREROUTING ACCEPT [79837:5377767]
    :INPUT ACCEPT [50192:2982968]
    :OUTPUT ACCEPT [783752:47025098]
    :POSTROUTING ACCEPT [784055:47038226]
    -A POSTROUTING -o br0 -j SNAT --to-source 192.168.1.115
    -A PREROUTING -i virbr10 -p tcp --dport 3389 -j DNAT --to-destination 192.168.3.12:3389
    -A POSTROUTING -o virbr10 -j SNAT --to-source 192.168.1.115
    
    -A POSTROUTING -s 192.168.3.0/28 -d 224.0.0.0/24 -j RETURN
    -A POSTROUTING -s 192.168.3.0/28 -d 255.255.255.255/32 -j RETURN
    -A POSTROUTING -s 192.168.3.0/28 ! -d 192.168.3.0/28 -p tcp -j MASQUERADE --to-ports 1024-65535
    -A POSTROUTING -s 192.168.3.0/28 ! -d 192.168.3.0/28 -p udp -j MASQUERADE --to-ports 1024-65535
    -A POSTROUTING -s 192.168.3.0/28 ! -d 192.168.3.0/28 -j MASQUERADE
    -A POSTROUTING -s 192.168.3.0/28 -o br0 -j SNAT --to-source 192.168.3.1
    COMMIT
    # Completed on Thu Dec 21 23:41:52 2017
    # Generated by iptables-save v1.6.0 on Thu Dec 21 23:41:52 2017
    *mangle
    :PREROUTING ACCEPT [23220571:3776706476]
    :INPUT ACCEPT [23190882:3774309601]
    :FORWARD ACCEPT [347:15204]
    :OUTPUT ACCEPT [13284853:83592415572]
    :POSTROUTING ACCEPT [13285200:83592430776]
    -A FORWARD -o virbr10 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
    -A POSTROUTING -o virbr10 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
    COMMIT
    # Completed on Thu Dec 21 23:41:52 2017
    # Generated by iptables-save v1.6.0 on Thu Dec 21 23:41:52 2017
    *filter
    :INPUT ACCEPT [23190882:3774309601]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [13284853:83592415572]
    -A OUTPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-OUTPUT-Dropped: " --log-level 4
    -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-INPUT-Dropped: " --log-level 4
    -A FORWARD -m limit --limit 2/min -j LOG --log-prefix "IPTables-FWD-Dropped: " --log-level 4
    # SMB2
    -A INPUT -i br0 -d 192.168.1.115/24 -p udp --dport 137:139 -m state --state NEW -j ACCEPT
    -A INPUT -i virbr10 -s 192.168.3.12 -d 192.168.1.0/24 -p tcp --sport 445 -m state --state NEW -j ACCEPT
    # Porque outlook hace un ping previo para ver la ubicación en la red
    # del archivo PST
    -A INPUT -p icmp -d 192.168.1.115 -j ACCEPT
    -A FORWARD -s 192.168.1.0/24 -i br0 -p tcp --dport 445 -j ACCEPT
    -A FORWARD -s 192.168.3.0/28 -i virbr10 -p tcp --sport 445 -j ACCEPT
    -A OUTPUT -o br0 -p icmp -d 192.168.1.0/24 -j ACCEPT
    -A OUTPUT -o virbr10 -p icmp -s 192.168.1.0/24 -j ACCEPT
    -A OUTPUT -o virbr10 -p tcp --dport 445 -s 192.168.1.115 -j ACCEPT
    -A OUTPUT -o virbr10 -p udp --sport 137:139 -s 192.168.1.115 -j ACCEPT
    
    -A INPUT -i virbr10 -p udp -m udp -m multiport --dports 53,67 -j ACCEPT
    -A INPUT -i virbr10 -p tcp -m tcp -m multiport --dports 53,67 -j ACCEPT
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    #-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu
    #-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
    -A FORWARD -d 192.168.3.0/28 -o virbr10 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -d 192.168.3.0/28 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 192.168.3.0/28 -i virbr10 -j ACCEPT
    -A FORWARD -s 192.168.1.0/24 -i br0 -j ACCEPT
    -A FORWARD -d 192.168.3.0/28 -o virbr1 -j ACCEPT
    -A FORWARD -s 192.168.3.0/28 -i virbr1 -j ACCEPT
    -A FORWARD -i virbr1 -o virbr1 -j ACCEPT
    -A FORWARD -i virbr10 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -o virbr10 -j REJECT --reject-with icmp-port-unreachable
    -A OUTPUT -o virbr10 -p udp -m udp --dport 68 -j ACCEPT
    COMMIT
    # Completed on Thu Dec 21 23:41:52 2017
***Bridge interfaces***

Code:
root@server:/home# brctl show
    bridge name     bridge id               STP enabled     interfaces
    br0             8000.0cc47ac18d3c       no              eth2
                                                            vnet0
                                                            vnet1
                                                            vnet3
                                                            vnet4
                                                            vnet5
                                                            vnet7
    virbr10         8000.525400c4b847       yes             virbr10-dummy
                                                            vnet2
***Route table***

Code:
root@server:/home# ip route list
    default via 192.168.1.1 dev br0
    192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.115
    192.168.3.0/28 dev virbr10  proto kernel  scope link  src 192.168.3.1
***All server interfaces***

Code:
root@server:/home# ip addr list
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
        link/ether 0c:c4:7a:55:a0:40 brd ff:ff:ff:ff:ff:ff
    3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
        link/ether 0c:c4:7a:55:a0:41 brd ff:ff:ff:ff:ff:ff
    4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
        link/ether 0c:c4:7a:c1:8d:3c brd ff:ff:ff:ff:ff:ff
    5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
        link/ether 0c:c4:7a:c1:8d:3d brd ff:ff:ff:ff:ff:ff
    6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
        link/ether 0c:c4:7a:c1:8d:3c brd ff:ff:ff:ff:ff:ff
        inet 192.168.1.115/24 brd 192.168.1.255 scope global br0
           valid_lft forever preferred_lft forever
        inet6 fe80::ec4:7aff:fec1:8d3c/64 scope link
           valid_lft forever preferred_lft forever
    8: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 500
        link/ether fe:16:3e:ea:18:01 brd ff:ff:ff:ff:ff:ff
        inet6 fe80::fc16:3eff:feea:1801/64 scope link
           valid_lft forever preferred_lft forever
    9: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 500
        link/ether fe:16:3e:53:d3:c4 brd ff:ff:ff:ff:ff:ff
        inet6 fe80::fc16:3eff:fe53:d3c4/64 scope link
           valid_lft forever preferred_lft forever
    29: vnet3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 500
        link/ether fe:54:00:ef:a3:61 brd ff:ff:ff:ff:ff:ff
        inet6 fe80::fc54:ff:feef:a361/64 scope link
           valid_lft forever preferred_lft forever
    30: vnet4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 500
        link/ether fe:54:00:2b:d1:0b brd ff:ff:ff:ff:ff:ff
        inet6 fe80::fc54:ff:fe2b:d10b/64 scope link
           valid_lft forever preferred_lft forever
    84: vnet5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 500
        link/ether fe:54:00:eb:06:f7 brd ff:ff:ff:ff:ff:ff
        inet6 fe80::fc54:ff:feeb:6f7/64 scope link
           valid_lft forever preferred_lft forever
    97: vnet7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 500
        link/ether fe:54:00:88:60:9a brd ff:ff:ff:ff:ff:ff
        inet6 fe80::fc54:ff:fe88:609a/64 scope link
           valid_lft forever preferred_lft forever
    98: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default
        link/ether aa:a6:d7:fd:7b:63 brd ff:ff:ff:ff:ff:ff
    100: virbr10-dummy: <BROADCAST,NOARP> mtu 1500 qdisc noop master virbr10 state DOWN group default
        link/ether 52:54:00:c4:b8:47 brd ff:ff:ff:ff:ff:ff
    101: virbr10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
        link/ether 52:54:00:c4:b8:47 brd ff:ff:ff:ff:ff:ff
        inet 192.168.3.1/28 brd 192.168.3.15 scope global virbr10
           valid_lft forever preferred_lft forever
        inet6 fe80::5054:ff:fec4:b847/64 scope link
           valid_lft forever preferred_lft forever
    102: vnet2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr10 state UNKNOWN group default qlen 500
        link/ether fe:54:00:9b:62:b2 brd ff:ff:ff:ff:ff:ff
        inet6 fe80::fc54:ff:fe9b:62b2/64 scope link
           valid_lft forever preferred_lft forever

Thanks in advance!
 
Old 01-02-2018, 07:58 AM   #2
farenheitcx
LQ Newbie
 
Registered: Nov 2011
Posts: 10

Original Poster
Rep: Reputation: Disabled
Anyone can help me with this?
 
  


Reply

Tags
iptables, kvm, networking, route


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Public IP addresses with KVM/libvirt routed via the DSL line kinv22 Linux - Networking 6 09-07-2017 08:18 PM
Help to configure KVM network as routed mauromol Linux - Virtualization and Cloud 3 06-26-2015 04:29 PM
KVM connecting VMs (same network) blackRonin Linux - Virtualization and Cloud 3 12-19-2014 04:46 PM
[SOLVED] CentOS 6.4 kvm iptables rules & nat creation rhbegin Linux - Virtualization and Cloud 2 07-11-2013 09:51 AM
Blocking VM's network temorarily - KVM (setting rules in iptables) sethusubbiah Linux - Software 4 08-16-2011 11:15 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration