Find the answer to your Linux question:
Results 1 to 2 of 2
Hello guys, I Have a centOS 6 host server that's running a few KVM virtual machines. To provide network connectivity to my vm's I have NAT (network address translation) through ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2007
    Posts
    98

    Issue with outgoing port 80


    Hello guys,

    I Have a centOS 6 host server that's running a few KVM virtual machines. To provide network connectivity to my vm's I have NAT (network address translation) through iptables set up.

    Now here's the issue that I'm having, I can connect to outgoing port 80 on my host server:

    -------
    [host@server~]# nc -vz google.com 80
    Connection to google.com 80 port [tcp/http] succeeded!
    -------

    But I cannot connect to port 80 (outgoing) from my Virtual machines:

    -------
    virtual@machine:/root # nc -vz google.com 80
    nc: connect to google.com port 80 (tcp) failed: Operation timed out
    -------

    Now, from my Virtual Machines, I am actually able to ping out just fine. I simply can't cant seem to have outgoing port 80 connection:


    ------
    virtual@machine:/root # ping -c4 google.com
    PING google.com (173.194.40.12: 56 data bytes
    64 bytes from 173.194.40.128: icmp_seq=0 ttl=53 time=90.872 ms
    64 bytes from 173.194.40.128: icmp_seq=1 ttl=53 time=90.872 ms
    64 bytes from 173.194.40.128: icmp_seq=2 ttl=53 time=90.907 ms
    64 bytes from 173.194.40.128: icmp_seq=3 ttl=53 time=90.927 ms

    --- google.com ping statistics ---
    4 packets transmitted, 4 packets received, 0.0% packet loss
    ------------

    Here's what my iptables rules looks like on the host server:

    --------
    [host@server~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT tcp -- anywhere anywhere tcp dpt:domain
    ACCEPT udp -- anywhere anywhere udp dpt:bootps
    ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
    libvirt-host-in all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT tcp -- anywhere FreeBSD9 state NEW,RELATED,ESTABLISHED tcp dpt:3d-nfsd
    ACCEPT tcp -- anywhere FreeBSD9 state NEW,RELATED,ESTABLISHED tcp dpt:http
    ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
    ACCEPT all -- 192.168.122.0/24 anywhere
    ACCEPT all -- anywhere anywhere
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
    libvirt-in all -- anywhere anywhere
    libvirt-out all -- anywhere anywhere
    libvirt-in-post all -- anywhere anywhere
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain libvirt-host-in (1 references)
    target prot opt source destination

    hain libvirt-in (1 references)
    target prot opt source destination

    Chain libvirt-in-post (1 references)
    target prot opt source destination

    Chain libvirt-out (1 references)
    target prot opt source destination
    ----------


    From the above keep in mind that "FreeBSD9" is the name of my guest machine (virtual machine) and the address for the guest is 192.168.122.111.

    Please let me know if you guys have any ideas as to why I am not able to have outgoing port 80 connection from my Virtual Machines (keep in mind that the firewall is disabled on the virtual machines).

    Thank you in advance for your help.

  2. #2
    Just Joined!
    Join Date
    Feb 2007
    Posts
    98
    I figured out what the issue is...I have a script that's used for port forwarding for my guest machines. Here's what the scripts looks like:

    ---------
    #!/bin/bash

    Guest_name="GuestMachine"
    Host_port=80
    Guest_ipaddr=192.168.2.4
    Guest_port=80

    if [ $1 = $Guest_name ]
    then
    if [[ $2 = "stopped" || $2 = "reconnect" ]]
    then
    iptables -t nat -D PREROUTING -p tcp --dport $Host_port -j DNAT \
    --to $Guest_ipaddr:$Guest_port

    iptables -D FORWARD -d $Guest_ipaddr/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED \
    -m tcp --dport $Guest_port -j ACCEPT

    #- allows port forwarding from localhost but
    # only if you use the ip (e.g http://192.168.1.20:8888/)
    iptables -t nat -D OUTPUT -p tcp -o lo --dport $Host_port -j DNAT \
    --to $Guest_ipaddr:$Guest_port

    fi
    if [[ $2 = "start" || $2 = "reconnect" ]]
    then
    iptables -t nat -I PREROUTING -p tcp --dport $Host_port -j DNAT \
    --to $Guest_ipaddr:$Guest_port

    iptables -I FORWARD -d $Guest_ipaddr/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED \
    -m tcp --dport $Guest_port -j ACCEPT

    #- allows port forwarding from localhost but
    # only if you use the ip (e.g http://192.168.1.20:8888/)
    iptables -t nat -I OUTPUT -p tcp -o lo --dport $Host_port -j DNAT \
    --to $Guest_ipaddr:$Guest_port

    fi
    fi
    ----------

    To make long story short, whatever port is being forwarded on that script, then I'm an not able to access that port outgoing on guest machines. In the case above, port 80 is being forwarded, so therefore I'm not able to connect to outgoing port 80 from guest machines. I did a test and changed the script so that it would forward port 22 (ssh) instead, and when I did that, I was no longer able to access ssh out of any of the guest machines.

    So I've figured out what the issue is, but I have no idea what's causing it to behave this way or even how to fix to the issue other than not doing any port forwarding (which I would need in order to access my guest machines externally). If anyone has any ideas, it will be very appreciated.

    Kind regards!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •