Subject: | |
From: | |
Reply To: | |
Date: | Tue, 30 Apr 2013 17:09:25 -0600 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Here is a brctl show:
# brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.5254001b51b6 yes virbr0-nic
vnet0
vnet3
vnet4
vnet6
vnet7
vnet8
vnet1 8000.bcaec527ae46 no eth1
vnet5
vnet2 8000.bcaec527af40 no eth2
I setup my bridges like this:
1) I create the bridge device such as ifcfg-vnet2 in
/etc/sysconfig/network-scripts:
DEVICE=vnet2
TYPE=Bridge
2) then I associate the bridge to a physical device:
# cat /etc/sysconfig/network-scripts/ifcfg-eth2
DEVICE="eth2"
HWADDR="BC:AE:C5:27:AF:40"
ONBOOT="yes"
TYPE="Ethernet"
BRIDGE=vnet2
3) then when I choose the network option for a KVM I set it to vnet2 bridged
Otherwise I just choose the virtual network and we don;t have access to
the KVM from outside of the KVM server.
Also if it helps, here's a "service iptables status" output:
root@cskvm1 # service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 state
RELATED,ESTABLISHED
2 ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq
ports: 1024-65535
2 MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq
ports: 1024-65535
3 MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 CHECKSUM udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
CHECKSUM fill
On 4/30/13 5:03 PM, Steven C Timm wrote:
> Things depend on how you set up the bridged device.
> The way I usually set up a bridged device, I set it up to have eth0 of the bare metal host go
> Through the bridge as well. If you do that, you would probably have to change the iptables rules because
> Things that were once meant for eth0 would now go to your bridge device.
>
> It would have been helpful to see the output of
> "service iptables status" before you added the bridge, and now.
>
> Also would be helpful to see output of "brctl show"
>
> Steve Timm
>
>
> -----Original Message-----
> From: [log in to unmask] [mailto:[log in to unmask]] On Behalf Of CS DBA
> Sent: Tuesday, April 30, 2013 5:28 PM
> To: scientific-linux-users
> Subject: KVM Issues
>
> Hi all;
>
> I have a KVM server (running SL 6.3) recently I added a bridged device (for a new external facing KVM, i.e. we want to access it without being on the KVM server)
>
> After I added the new bridge I noticed that it was not showing up as an option for the new KVM's network, So I rebooted the KVM server.
>
> Now we have 2 new isues:
>
> 1) we use Untangle as our firewall, we have a firewall rule that forwards all traffic destined for our statis IP on a specific port to the KVM box.
> the rule no longer works. Pinged the Untangle folks and they say it;s being blocked on the KVM server. Re-pointed the destination for the rule to
> another Linux box in the network and it works fine.
>
> 2) we can no no longer access the intenet, or other servers in the physical network from one of the
> non-bridged (i.e. just using the virtual network) KVM's
>
> I've done some digging, and I'm baffled. Not to say that that means much
> - I'm not very well versed in the network side of Linux.
>
>
> Thanks in advance for any help you can offer...
>
>
>
>
>
> Here's some of our config data:
>
> ifconfig output (from the KVM server):
> # ifconfig
> eth0 Link encap:Ethernet HWaddr 68:05:CA:0D:F6:1E
> inet addr:192.168.2.110 Bcast:192.168.2.255 Mask:255.255.255.0
> inet6 addr: fe80::6a05:caff:fe0d:f61e/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:13275 errors:0 dropped:0 overruns:0 frame:0
> TX packets:5915 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:1556174 (1.4 MiB) TX bytes:1153356 (1.0 MiB)
> Interrupt:24 Memory:fbfe0000-fc000000
>
> eth1 Link encap:Ethernet HWaddr BC:AE:C5:27:AE:46
> inet6 addr: fe80::beae:c5ff:fe27:ae46/64 Scope:Link
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:8851 errors:0 dropped:0 overruns:0 frame:0
> TX packets:562 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:1326983 (1.2 MiB) TX bytes:54394 (53.1 KiB)
> Interrupt:48 Memory:fbee0000-fbf00000
>
> eth2 Link encap:Ethernet HWaddr BC:AE:C5:27:AF:40
> inet6 addr: fe80::beae:c5ff:fe27:af40/64 Scope:Link
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:8535 errors:0 dropped:0 overruns:0 frame:0
> TX packets:91 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:1301040 (1.2 MiB) TX bytes:6194 (6.0 KiB)
> Interrupt:47 Memory:fbde0000-fbe00000
>
> eth3 Link encap:Ethernet HWaddr 68:05:CA:0F:31:2D
> inet addr:192.168.2.171 Bcast:192.168.2.255 Mask:255.255.255.0
> inet6 addr: fe80::6a05:caff:fe0f:312d/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:5794 errors:0 dropped:0 overruns:0 frame:0
> TX packets:693 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:876435 (855.8 KiB) TX bytes:106949 (104.4 KiB)
> Interrupt:40 Memory:fbbe0000-fbc00000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:184 errors:0 dropped:0 overruns:0 frame:0
> TX packets:184 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:358318 (349.9 KiB) TX bytes:358318 (349.9 KiB)
>
> virbr0 Link encap:Ethernet HWaddr 52:54:00:1B:51:B6
> inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:3459 errors:0 dropped:0 overruns:0 frame:0
> TX packets:4678 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:531194 (518.7 KiB) TX bytes:507061 (495.1 KiB)
>
> vnet0 Link encap:Ethernet HWaddr FE:54:00:F5:60:95
> inet6 addr: fe80::fc54:ff:fef5:6095/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:16288 errors:0 dropped:0 overruns:0 frame:0
> TX packets:18306 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:500
> RX bytes:1914475 (1.8 MiB) TX bytes:1866563 (1.7 MiB)
>
> vnet1 Link encap:Ethernet HWaddr BC:AE:C5:27:AE:46
> inet6 addr: fe80::beae:c5ff:fe27:ae46/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:3503 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:478361 (467.1 KiB) TX bytes:468 (468.0 b)
>
> vnet2 Link encap:Ethernet HWaddr BC:AE:C5:27:AF:40
> inet6 addr: fe80::beae:c5ff:fe27:af40/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:6475 errors:0 dropped:0 overruns:0 frame:0
> TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:940999 (918.9 KiB) TX bytes:1046 (1.0 KiB)
>
> vnet3 Link encap:Ethernet HWaddr FE:54:00:75:97:82
> inet6 addr: fe80::fc54:ff:fe75:9782/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:11356 errors:0 dropped:0 overruns:0 frame:0
> TX packets:13379 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:500
> RX bytes:1157294 (1.1 MiB) TX bytes:1363906 (1.3 MiB)
>
> vnet4 Link encap:Ethernet HWaddr FE:54:00:CF:B4:21
> inet6 addr: fe80::fc54:ff:fecf:b421/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:13640 errors:0 dropped:0 overruns:0 frame:0
> TX packets:16700 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:500
> RX bytes:1482213 (1.4 MiB) TX bytes:1621205 (1.5 MiB)
>
> vnet5 Link encap:Ethernet HWaddr FE:54:00:36:60:83
> inet6 addr: fe80::fc54:ff:fe36:6083/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:474 errors:0 dropped:0 overruns:0 frame:0
> TX packets:3821 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:500
> RX bytes:48490 (47.3 KiB) TX bytes:534549 (522.0 KiB)
>
> vnet6 Link encap:Ethernet HWaddr FE:54:00:40:A9:5C
> inet6 addr: fe80::fc54:ff:fe40:a95c/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:319 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1207 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:500
> RX bytes:36204 (35.3 KiB) TX bytes:82878 (80.9 KiB)
>
>
>
>
>
> brctl show:
> bridge name bridge id STP enabled interfaces
> virbr0 8000.5254001b51b6 yes virbr0-nic
> vnet0
> vnet3
> vnet4
> vnet6
> vnet1 8000.bcaec527ae46 no eth1
> vnet5
> vnet2 8000.bcaec527af40 no eth2
>
>
>
> iptables -L:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
|
|
|