On Ubuntu server 24.04 with public IP I have installed KVM and make virtual machine with Ubuntu 24.04 and install nginx , which may be reverse proxy for other machine in my KVM. I use iptables on KVM host but I have problem with trying run curl -v http://8.8.8.8:80 from my virtual machine
KVM
ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: eno1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000 link/ether 2e:ac:42:a4:48:b9 brd ff:ff:ff:ff:ff:ff permaddr 2c:ea:7f:7a:32:0d altname enp4s0f0 3: eno2: <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc mq master bond0 state DOWN group default qlen 1000 link/ether 2e:ac:42:a4:48:b9 brd ff:ff:ff:ff:ff:ff permaddr 2c:ea:7f:7a:32:0e altname enp4s0f1 4: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 2e:ac:42:a4:48:b9 brd ff:ff:ff:ff:ff:ff inet 149.62.147.106/27 brd 149.62.147.127 scope global bond0 valid_lft forever preferred_lft forever inet6 fe80::2cac:42ff:fea4:48b9/64 scope link valid_lft forever preferred_lft forever 5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 52:54:00:af:78:28 brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 11: vnet5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UNKNOWN group default qlen 1000 link/ether fe:54:00:11:9d:dd brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:fe11:9ddd/64 scope link valid_lft forever preferred_lft forever 14: vnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virbr0 state UNKNOWN group default qlen 1000 link/ether fe:54:00:1c:da:20 brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:fe1c:da20/64 scope link valid_lft forever preferred_lft forever ip route default via 149.62.147.97 dev bond0 proto static 149.62.147.96/27 dev bond0 proto kernel scope link src 149.62.147.106 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 virtual machine ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 52:54:00:1c:da:20 brd ff:ff:ff:ff:ff:ff inet 192.168.122.7/24 metric 100 brd 192.168.122.255 scope global dynamic enp1s0 valid_lft 2631sec preferred_lft 2631sec inet6 fe80::5054:ff:fe1c:da20/64 scope link valid_lft forever preferred_lft forever ip route default via 192.168.122.1 dev enp1s0 proto dhcp src 192.168.122.7 metric 100 192.168.122.0/24 dev enp1s0 proto kernel scope link src 192.168.122.7 metric 100 192.168.122.1 dev enp1s0 proto dhcp scope link src 192.168.122.7 metric 100 On vm I try
url -v http://8.8.8.8:80 * Trying 8.8.8.8:80... In kvm I see
udo tcpdump -i virbr0 -vvv -n "host 192.168.122.7" tcpdump: listening on virbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 11:08:07.249337 IP (tos 0x10, ttl 64, id 43962, offset 0, flags [DF], proto TCP (6), length 96) 192.168.122.1.33560 > 192.168.122.7.22: Flags [P.], cksum 0x75ac (incorrect -> 0x8708), seq 915997727:915997771, ack 3063824417, win 746, options [nop,nop,TS val 2805168393 ecr 3099057821], length 44 11:08:07.249768 IP (tos 0x10, ttl 64, id 10747, offset 0, flags [DF], proto TCP (6), length 112) 192.168.122.7.22 > 192.168.122.1.33560: Flags [P.], cksum 0x75bc (incorrect -> 0xdcfe), seq 1:61, ack 44, win 501, options [nop,nop,TS val 3099073396 ecr 2805168393], length 60 11:08:07.249799 IP (tos 0x10, ttl 64, id 43963, offset 0, flags [DF], proto TCP (6), length 52) 192.168.122.1.33560 > 192.168.122.7.22: Flags [.], cksum 0x7580 (incorrect -> 0x5500), seq 44, ack 61, win 746, options [nop,nop,TS val 2805168394 ecr 3099073396], length 0 11:08:07.269787 IP (tos 0x10, ttl 64, id 43964, offset 0, flags [DF], proto TCP (6), length 88) 192.168.122.1.33560 > 192.168.122.7.22: Flags [P.], cksum 0x75a4 (incorrect -> 0x6343), seq 44:80, ack 61, win 746, options [nop,nop,TS val 2805168414 ecr 3099073396], length 36 11:08:07.269915 IP (tos 0x10, ttl 64, id 10748, offset 0, flags [DF], proto TCP (6), length 88) 192.168.122.7.22 > 192.168.122.1.33560: Flags [P.], cksum 0x75a4 (incorrect -> 0x6de4), seq 61:97, ack 80, win 501, options [nop,nop,TS val 3099073416 ecr 2805168414], length 36 11:08:07.289657 IP (tos 0x10, ttl 64, id 43965, offset 0, flags [DF], proto TCP (6), length 88) 192.168.122.1.33560 > 192.168.122.7.22: Flags [P.], cksum 0x75a4 (incorrect -> 0x3986), seq 80:116, ack 97, win 746, options [nop,nop,TS val 2805168434 ecr 3099073416], length 36 11:08:07.289750 IP (tos 0x10, ttl 64, id 10749, offset 0, flags [DF], proto TCP (6), length 88) 192.168.122.7.22 > 192.168.122.1.33560: Flags [P.], cksum 0x75a4 (incorrect -> 0x253f), seq 97:133, ack 116, win 501, options [nop,nop,TS val 3099073436 ecr 2805168434], length 36 11:08:07.310709 IP (tos 0x10, ttl 64, id 43966, offset 0, flags [DF], proto TCP (6), length 88) but tcpdump -i bond0 nothing see nothing packet
iptables
sudo iptables -L -n -v Chain INPUT (policy DROP 799 packets, 182K bytes) pkts bytes target prot opt in out source destination 27422 5301K LIBVIRT_INP 0 -- * * 0.0.0.0/0 0.0.0.0/0 17953 8678K ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 27088 2028K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 20 1316 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 1 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 9 468 ACCEPT 6 -- * * 213.235.84.194 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT 6 -- * * 192.168.122.0/24 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT 17 -- * * 192.168.122.0/24 0.0.0.0/0 udp dpt:53 797 182K LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "IPTables-Dropped. " Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 51 3220 LIBVIRT_FWX 0 -- * * 0.0.0.0/0 0.0.0.0/0 16 1120 LIBVIRT_FWI 0 -- * * 0.0.0.0/0 0.0.0.0/0 4 294 LIBVIRT_FWO 0 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 4 220 ACCEPT 6 -- * * 0.0.0.0/0 192.168.122.7 tcp dpt:80 1 40 ACCEPT 6 -- * * 0.0.0.0/0 192.168.122.7 tcp dpt:443 0 0 ACCEPT 0 -- virbr0 bond0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- bond0 virbr0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT 0 -- * * 192.168.122.7 0.0.0.0/0 0 0 ACCEPT 0 -- * * 192.168.122.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 26860 packets, 14M bytes) pkts bytes target prot opt in out source destination 27030 11M LIBVIRT_OUT 0 -- * * 0.0.0.0/0 0.0.0.0/0 17953 8678K ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0 11 852 ACCEPT 1 -- * virbr0 0.0.0.0/0 0.0.0.0/0 Chain LIBVIRT_FWI (1 references) pkts bytes target prot opt in out source destination 4 442 ACCEPT 0 -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED 8 384 REJECT 0 -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain LIBVIRT_FWO (1 references) pkts bytes target prot opt in out source destination 4 294 ACCEPT 0 -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 REJECT 0 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain LIBVIRT_FWX (1 references) pkts bytes target prot opt in out source destination 35 2100 ACCEPT 0 -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 Chain LIBVIRT_INP (1 references) pkts bytes target prot opt in out source destination 6 424 ACCEPT 17 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT 6 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 4 1310 ACCEPT 17 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT 6 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 Chain LIBVIRT_OUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT 17 -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT 6 -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 4 1312 ACCEPT 17 -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68 0 0 ACCEPT 6 -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68 forwarding
cat /proc/sys/net/ipv4/ip_forward 1 even if i try in VM
curl -v google.com * Host google.com:80 was resolved. * IPv6: 2a00:1450:4014:80b::200e * IPv4: 142.251.36.110 * Trying 142.251.36.110:80... * Trying [2a00:1450:4014:80b::200e]:80... * Immediate connect fail for 2a00:1450:4014:80b::200e: Network is unreachable curl -4 -v google.com * Host google.com:80 was resolved. * IPv6: (none) * IPv4: 142.251.37.110 * Trying 142.251.37.110:80... may be I have the resolution, It seems problem was in NAT i Try this
iptables -t nat -F iptables -t nat -A PREROUTING -d 149.62.147.106 -p tcp --dport 80 -j DNAT --to-destination 192.168.122.7 iptables -t nat -A PREROUTING -d 149.62.147.106 -p tcp --dport 443 -j DNAT --to-destination 192.168.122.7 iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -o bond0 -j MASQUERADE iptables -A FORWARD -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.122.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT and this give me on VM responce form curl
curl -v http://8.8.8.8:80" - What is the problem? What do you expect to see as the response to that web request? ----- Because as far as I know Google's public resolvers do NOT have web servers running for port 80 and are NOT expected to respond to plain HTTP requests. They only respond to DNS requests on port 53 and DNS over HTTPS requests on port 443 ....curl -v ggole.comI obtain network is unrechable