0

I have a few KVM guests running on a Fedora 22 host using a bridged network. It all seems to be woring fine apart from one niggle. One of the guests has apache running on it. Any access to the web server on the guest shows the IP address of the host in the logs, not the ip address of the actual source. "who -mu" on the guest also shows the ip address, or rather hostname, of the KVM physical host, not the actual source ip I am SSHing from.

So, for example:

I am SSHing from 10.10.10.3 which is a physical Debian host to 10.10.10.5, which is an Ubuntu KVM guest running on the physical Fedora 22 host which is 10.10.10.4. When I have logged in to 10.10.10.5 successfully and do a "who -mu" I see the hostname of the 10.10.10.4 machine, not the 10.10.10.3 machine. Similarly, if I access the Apache pages on 10.10.10.5 from the 10.10.10.3 machine, it is 10.10.10.4 that shows up in the Apache logs.

Here is my ifcfg-br0:

DEVICE=br0
TYPE=Bridge
BOOTPROTO=none
IPADDR=10.10.10.4
NETMASK=255.255.255.0
GATEWAY=10.10.10.22
DNS1=10.10.10.22
SEARCH="example.co"
ONBOOT=yes
NM_CONTROLLED=no
IPV6INIT=no
STP=on

And ifcfg-enp2s0 (the physical adapter on the Fedora host:

TYPE=Ethernet
DEVICE=enp2s0
ONBOOT=yes
BRIDGE=br0
NM_CONTROLLED=no

Would anyone know what I need to do to make the source ip address appear correct? I'm assuming some iptables-fu on the Fedora host?

EDIT: Added iptables outputs as requested. These are from the box running virsh:

>

 # iptables -vnL
Chain INPUT (policy ACCEPT 26M packets, 65G bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain FORWARD (policy ACCEPT 72720 packets, 14M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
1340M 1496G DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 805M 1454G DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
 805M 1454G ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 535M   42G ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 27M packets, 1068G bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination
31058 4176K ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:80
 5388  265K ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:22

Chain DOCKER-ISOLATION (1 references)
 pkts bytes target     prot opt in     out     source               destination
1340M 1496G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0



# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 3676K packets, 277M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.10.10.4           tcp dpt:443 to:10.10.10.106:443
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.10.10.4           tcp dpt:8443 to:10.10.10.50:10000
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.10.10.4           tcp dpt:5223 to:10.10.10.50:4040
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.10.10.4           tcp dpt:4040 to:10.10.10.50:4040
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.10.10.4           tcp dpt:81 to:10.10.10.4:80
24172 6451K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 165K packets, 65M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 53577 packets, 6455K bytes)
 pkts bytes target     prot opt in     out     source               destination
 3390  251K DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   622 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24
    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255
    0     0 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24
3506K  210M MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
67578 8512K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:80
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:22

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
 5716  343K DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:32180 to:172.17.0.2:80
 1133 67980 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:32122 to:172.17.0.2:22
Andy
  • 11
  • 3
  • Could you provide the output of `iptables -vnL` and `iptables -vnL -t nat`? It sounds as if your physical host is set to SNAT packets coming into the bridge. Although your question is clear, an actual example might also be useful, if you can share one. – iwaseatenbyagrue Mar 24 '17 at 08:54
  • I've added the iptables outputs. Not sure what you mean by an example that I haven't already given though. – Andy Mar 26 '17 at 14:26

0 Answers0