You are not logged in.

#1 2024-07-28 10:10:21

shmu26
Member
Registered: 2021-04-17
Posts: 56

qemu -- no internet in VM when firewall enabled on host

I am using Gufw Firewall on the host. When it is enabled, and denying incoming connections, there is no internet connection in the Windows 10 VM.
The VM runs on qemu, and is managed by virt-manager.
In virt-manager, the network connection is NAT, with device model e1000e
In /etc/libvirt/network.conf
I have it set to
firewall_backend = "iptables"

All I have to do is toggle Gufw Firewall to off, and the internet works in the VM. But I prefer it on.

Last edited by shmu26 (2024-07-28 10:32:46)

Offline

#2 2024-07-28 10:14:58

Head_on_a_Stick
Member
From: The Wirral
Registered: 2014-02-20
Posts: 8,631
Website

Re: qemu -- no internet in VM when firewall enabled on host

Please share the output of

iptables-save

Does this fix things if run on the host:

# ufw allow in on virbr0 from any to any

(Correct the interface name if needed.)

Last edited by Head_on_a_Stick (2024-07-28 10:15:40)


Jin, Jiyan, Azadî

Offline

#3 2024-07-28 10:25:26

shmu26
Member
Registered: 2021-04-17
Posts: 56

Re: qemu -- no internet in VM when firewall enabled on host

Head_on_a_Stick wrote:

Does this fix things if run on the host:

# ufw allow in on virbr0 from any to any

(Correct the interface name if needed.)

That command fixed it!
The fix does not persist, unfortunately.
After running that command, the VM now shows internet as working, but in reality, it does not work.

sudo iptables-save

# Generated by iptables-save v1.8.10 (nf_tables) on Sun Jul 28 13:38:41 2024
*filter
:INPUT DROP [4:429]
:FORWARD DROP [4428:241522]
:OUTPUT ACCEPT [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -i virbr0 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Sun Jul 28 13:38:41 2024

Last edited by shmu26 (2024-07-28 10:40:13)

Offline

#4 2024-07-28 10:37:21

Head_on_a_Stick
Member
From: The Wirral
Registered: 2014-02-20
Posts: 8,631
Website

Re: qemu -- no internet in VM when firewall enabled on host

\o/

Does the change persist? I don't use {g,}ufw so I'm not sure how it works, you might have to toggle a checkbox somewhere in the GUI maze.

Anyway, if this problem is fixed please edit the thread title and add [SOLVED] to let others know. Thanks.


Jin, Jiyan, Azadî

Offline

#5 2024-07-28 10:40:46

shmu26
Member
Registered: 2021-04-17
Posts: 56

Re: qemu -- no internet in VM when firewall enabled on host

Please see edited post above

Offline

#6 2024-07-28 10:47:21

Head_on_a_Stick
Member
From: The Wirral
Registered: 2014-02-20
Posts: 8,631
Website

Re: qemu -- no internet in VM when firewall enabled on host

If it doesn't persist then you will have to navigate gufw's click maze to find the correct option. I can't help you with that though because I don't use gufw. Perhaps another user will be able to offer some tips.

EDIT: https://xkcd.com/627/ might be helpful here big_smile

Last edited by Head_on_a_Stick (2024-07-28 10:51:32)


Jin, Jiyan, Azadî

Offline

Board footer

Powered by FluxBB