Join Log in
Score:0
avatar Server

Firewall / Ip rule issues between two hosts via vSwitch

cn flag
omeganebula

I have two servers in play here, one is a Qemu VM host, the other being a storage box of sorts.

They are hetzner machines, and I have them connected via a vSwitch.

Server1 vSwitch interface:

3: local@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 10:7b:44:b1:5b:7d brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global local
       valid_lft forever preferred_lft forever

Server1(VM host) ip route:

default via <redacted-public-ip> dev eth0 proto static metric 100 
<redacted-public-ip> dev eth0 proto static scope link metric 100 
192.168.10.0/24 dev virbr0 proto kernel scope link src 192.168.10.254 metric 425 <-- virbr0 network
192.168.10.253 via 192.168.100.2 dev local <-- srv02 IP to fit in virbr0 net space

Server2 vSwitch interface:

3: local@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UP group default qlen 1000
    link/ether 08:60:6e:44:d6:2a brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.2/24 brd 192.168.100.255 scope global local
       valid_lft forever preferred_lft forever
    inet 192.168.10.253/24 brd 192.168.10.255 scope global local
       valid_lft forever preferred_lft forever

Server2 ip route:

default via <redacted-public-ip> dev eth0 proto static metric 100 
<redacted-public-ip> dev eth0 proto static scope link metric 100 
192.168.10.0/24 dev local proto kernel scope link src 192.168.10.253  <-- to access virbr0 via vSwitch

I have the routes setup correctly, I guess - since everything works a-ok with the firewalld service off.

However, if I turn it on, the issues start.

These are the firewall zones on Server1 (on which when I disable firewalld everything works)

libvirt (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: virbr0
  sources: 
  services: dhcp dhcpv6 dns ssh tftp
  ports: 
  protocols: icmp ipv6-icmp
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule priority="32767" reject


public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 local
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

I have tried turning on masquerade on each of those, both of those at the same time, to no avail. I am "testing" this with a simple ping from Server2, toward one of the VMs on virbr0

Is there anything obvious that I am missing here ?

Thank you all in advance.

30
0 + 0
Score:0
avatar Server
cn flag
omeganebula

I have managed to resolve this, using the following two rules on the QEMU host

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -o local -i virbr0 -j ACCEPT

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -o virbr0 -i local -j ACCEPT
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.