KVM virtual networks not routing properly
 

I have a physical host running RHEL 6 with KVM as a sandbox so I can study for the RHCSA exam. It gets its IP address from my home router on network 192.168.1.0/24.

There are two VMs running on two separate virtual networks via KVM. One on 192.168.122.0/24 (vibr0)and the other on 192.168.100.0/24 (virbr1).

In a previous instance of this configuration the physical host would route traffic from each VM to the home network. I could ping 192.168.1.1 from each VM and obtain DNS resolution. This doesn't seem to be working in the current iteration.

I cannot ping across subnets including to and from the home network to each of the VMs and physical host. From the physical host I can ping the gateway to each of the virtual networks and can also ping the gateway from within the corresponding virtual network. However, the physical host cannot ping either of the two VMs. Of course, I can ping other VMs within each virtual network and the home router from the physical host as well.

Not being as masterful of networking as I probably should be, I'm at a loss as to what to look for. It seems that forwarding isn't working as it should, but I can't figure out how KVM manages iptables. If I run iptables -L I get all kinds of output with no associated rules in /etc/sysconfig/iptables.

Routing table:
iptables -L
For a different look, service iptables status:
If anyone can help me sort this out I would appreciate it.

Hi theillen,

If you suspect that there's a problem with firewall rules, try flushing firewall rules (iptables -F).

My gut -- there might be something slightly off with the KVM network configuration. Write down the current settings for networks (or better yet, back up the contents of the /etc/libvirt/qemu/networks directory).

Use the Virtual Machine Manager to delete --both-- the default and outsider networks and then add them back in. Make sure you use NAT when re-creating the networks.

Thanks again. I don't know if it was flushing iptables or recreating the networks but one of the two did it. More to add to my personal knowledgebase.

i know this is marked as solved but i just wanted to chime in for anyone else stumbling across this...
if you have multiple KVM virtual networks the iptables that get autogenerated are incorrect and setup for failure. this is probably a default approach to keep them seperated, but if you want communication between them you'll need to modify the rules...i even go as far as removing some of the REJECT rules to make it cleaner. e.g

you'll need to add NEW to both initial rules for each virtual network, this needs to happen because if you follow it down the list nothing will match and will get rejected.
the following a simplified list for a cleaner look - notice the NEW state isnt required because the traffic with be matched with an accepted rule and finally at the end the 'any any -reject' will be a catch all for the other reject rules that were removed
you can use either scenario, they both allow connectivity - while the first is more restrictive i think its unnecessary imho...especially for private virtual machines

Solved
 

I believe I was experiencing this same issue and it seems my problem was solved simply by running the iptables -F on hypervisor host and the virtual machine hosts.
I did not re-create the networks again, but the problem disappeared. Great advice, thanks!

This is still valid in 2017
 

From the names of the virtual networks you're creating I believe we're reading from the same book, albeit different editions. iptables -F on the host, and each guest solved the problem. dcd