o5i
February 23, 2017, 8:57am
1
Hi, i recently installed a windows 10 vm.
I added a network interface attached to br0.
I can connect to all networks from the vm but i cant access the vm trough the address (like rdp or ping) from the hypervisor…
I noticed that a new interface shows up → vnet0, maybee i have to add some firewall rules for that?
If i do a dumpxml of the running machine it shows me this:
<interface type='bridge'>
<mac address='52:54:00:ed:a9:25'/>
<source bridge='br0'/>
<target dev='vnet0'/>
<model type='e1000'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
in edit mode only this
<interface type='bridge'>
<mac address='52:54:00:ed:a9:25'/>
<source bridge='br0'/>
<model type='e1000'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
wicked show all
lo up
link: #1, state up
type: loopback
config: compat:suse:/etc/sysconfig/network/ifcfg-lo
leases: ipv4 static granted
addr: ipv4 127.0.0.1/8 [static]
em1 up
link: #2, state up, mtu 1500
type: ethernet, hwaddr 18:66:da:38:76:61
config: compat:suse:/etc/sysconfig/network/ifcfg-em1
p1p1 enslaved
link: #3, state up, mtu 1500, master br0
type: ethernet, hwaddr 00:15:17:90:1d:6f
config: compat:suse:/etc/sysconfig/network/ifcfg-p1p1
p2p1 enslaved
link: #4, state device-up, mtu 1500, master br0
type: ethernet, hwaddr 00:15:17:70:19:a4
config: compat:suse:/etc/sysconfig/network/ifcfg-p2p1
br0 up
link: #5, state up, mtu 1500
type: bridge
config: compat:suse:/etc/sysconfig/network/ifcfg-br0
leases: ipv4 static granted
addr: ipv4 192.168.1.10/24 [static]
route: ipv4 default via 192.168.1.1 [static]
tun0 device-unconfigured
link: #6, state up, mtu 1500
type: tun
addr: ipv4 10.0.0.1/32
vnet0 device-unconfigured
link: #11, state up, mtu 1500, master br0
type: tap, hwaddr fe:54:00:ed:a9:25
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 br0
10.0.0.0 10.0.0.2 255.255.255.0 UG 0 0 0 tun0
10.0.0.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
o5i
February 23, 2017, 9:13am
2
iptables
iptables-save
# Generated by iptables-save v1.4.21 on Thu Feb 23 09:14:22 2017
*nat
:PREROUTING ACCEPT [79:10501]
:INPUT ACCEPT [3:146]
:OUTPUT ACCEPT [21:1901]
:POSTROUTING ACCEPT [89:11373]
-A POSTROUTING -s 10.0.0.0/24 -o br0 -j MASQUERADE
COMMIT
# Completed on Thu Feb 23 09:14:22 2017
# Generated by iptables-save v1.4.21 on Thu Feb 23 09:14:22 2017
*raw
:PREROUTING ACCEPT [2822:362960]
:OUTPUT ACCEPT [1463:329302]
-A PREROUTING -i lo -j CT --notrack
-A OUTPUT -o lo -j CT --notrack
COMMIT
# Completed on Thu Feb 23 09:14:22 2017
# Generated by iptables-save v1.4.21 on Thu Feb 23 09:14:22 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1434:326706]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j LOG --log-prefix "SFW2-IN-ACC-EST " --log-tcp-options --log-ip-options
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j LOG --log-prefix "SFW2-IN-ACC-REL " --log-tcp-options --log-ip-options
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -i br0 -j input_int
-A INPUT -j input_ext
-A INPUT -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i br0 -j forward_int
-A FORWARD -i em1 -j forward_ext
-A FORWARD -i p1p1 -j forward_ext
-A FORWARD -i p2p1 -j forward_ext
-A FORWARD -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 0 -j LOG --log-prefix SFW2-FWDext-FWD-RELA --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3 -j LOG --log-prefix SFW2-FWDext-FWD-RELA --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 11 -j LOG --log-prefix SFW2-FWDext-FWD-RELA --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 12 -j LOG --log-prefix SFW2-FWDext-FWD-RELA --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 14 -j LOG --log-prefix SFW2-FWDext-FWD-RELA --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 18 -j LOG --log-prefix SFW2-FWDext-FWD-RELA --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j LOG --log-prefix SFW2-FWDext-FWD-RELA --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 5 -j LOG --log-prefix SFW2-FWDext-FWD-RELA --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_ext -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -m pkttype --pkt-type multicast -j DROP
-A forward_ext -m pkttype --pkt-type broadcast -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -m pkttype --pkt-type broadcast -j DROP
-A forward_ext -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 0 -j LOG --log-prefix SFW2-FWDint-FWD-RELA --log-tcp-options --log-ip-options
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3 -j LOG --log-prefix SFW2-FWDint-FWD-RELA --log-tcp-options --log-ip-options
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 11 -j LOG --log-prefix SFW2-FWDint-FWD-RELA --log-tcp-options --log-ip-options
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 12 -j LOG --log-prefix SFW2-FWDint-FWD-RELA --log-tcp-options --log-ip-options
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 14 -j LOG --log-prefix SFW2-FWDint-FWD-RELA --log-tcp-options --log-ip-options
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 18 -j LOG --log-prefix SFW2-FWDint-FWD-RELA --log-tcp-options --log-ip-options
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j LOG --log-prefix SFW2-FWDint-FWD-RELA --log-tcp-options --log-ip-options
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 5 -j LOG --log-prefix SFW2-FWDint-FWD-RELA --log-tcp-options --log-ip-options
-A forward_int -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_int -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -m pkttype --pkt-type multicast -j DROP
-A forward_int -m pkttype --pkt-type broadcast -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -m pkttype --pkt-type broadcast -j DROP
-A forward_int -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -j reject_func
-A input_ext -p udp -m pkttype --pkt-type broadcast -m udp --dport 137 -j LOG --log-prefix "SFW2-ACC-BCASTe " --log-tcp-options --log-ip-options
-A input_ext -p udp -m pkttype --pkt-type broadcast -m udp --dport 137 -j ACCEPT
-A input_ext -p udp -m pkttype --pkt-type broadcast -m udp --dport 138 -j LOG --log-prefix "SFW2-ACC-BCASTe " --log-tcp-options --log-ip-options
-A input_ext -p udp -m pkttype --pkt-type broadcast -m udp --dport 138 -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j LOG --log-prefix "SFW2-DROP-BCASTe " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INext-ACC-SQUENCH " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-INext-ACC-PING " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p udp -m udp --sport 137 -m conntrack --ctstate RELATED -j LOG --log-prefix "SFW2-INext-REL " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --sport 137 -m conntrack --ctstate RELATED -j ACCEPT
-A input_ext -p tcp -m tcp --dport 139 -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 139 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 445 -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 445 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 22 -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 5900:5999 -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 5900:5999 -j ACCEPT
-A input_ext -p udp -m udp --dport 1194 -j LOG --log-prefix "SFW2-INext-ACC-UDP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 1194 -j ACCEPT
-A input_ext -p udp -m udp --dport 137 -j LOG --log-prefix "SFW2-INext-ACC-UDP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 137 -j ACCEPT
-A input_ext -p udp -m udp --dport 138 -j LOG --log-prefix "SFW2-INext-ACC-UDP " --log-tcp-options --log-ip-options
-A input_ext -p udp -m udp --dport 138 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j LOG --log-prefix "SFW2-INint-ACC-ALL " --log-tcp-options --log-ip-options
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Thu Feb 23 09:14:22 2017
o5i
February 23, 2017, 10:37pm
3
I solved the problem… The windows firewall was blocking…
Now everything works fine
Nice fix. Thanks for replying back and letting us know the fix.