I have a few KVM guests running on a Fedora 22 host using a bridged network. It all seems to be woring fine apart from one niggle. One of the guests has apache running on it. Any access to the web server on the guest shows the IP address of the host in the logs, not the ip address of the actual source. "who -mu" on the guest also shows the ip address, or rather hostname, of the KVM physical host, not the actual source ip I am SSHing from.
So, for example:
I am SSHing from 10.10.10.3 which is a physical Debian host to 10.10.10.5, which is an Ubuntu KVM guest running on the physical Fedora 22 host which is 10.10.10.4. When I have logged in to 10.10.10.5 successfully and do a "who -mu" I see the hostname of the 10.10.10.4 machine, not the 10.10.10.3 machine. Similarly, if I access the Apache pages on 10.10.10.5 from the 10.10.10.3 machine, it is 10.10.10.4 that shows up in the Apache logs.
Here is my ifcfg-br0:
DEVICE=br0
TYPE=Bridge
BOOTPROTO=none
IPADDR=10.10.10.4
NETMASK=255.255.255.0
GATEWAY=10.10.10.22
DNS1=10.10.10.22
SEARCH="example.co"
ONBOOT=yes
NM_CONTROLLED=no
IPV6INIT=no
STP=on
And ifcfg-enp2s0 (the physical adapter on the Fedora host:
TYPE=Ethernet
DEVICE=enp2s0
ONBOOT=yes
BRIDGE=br0
NM_CONTROLLED=no
Would anyone know what I need to do to make the source ip address appear correct? I'm assuming some iptables-fu on the Fedora host?
EDIT: Added iptables outputs as requested. These are from the box running virsh:
>
# iptables -vnL
Chain INPUT (policy ACCEPT 26M packets, 65G bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT 72720 packets, 14M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
1340M 1496G DOCKER-ISOLATION all -- * * 0.0.0.0/0 0.0.0.0/0
805M 1454G DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
805M 1454G ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
535M 42G ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 27M packets, 1068G bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
31058 4176K ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:80
5388 265K ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:22
Chain DOCKER-ISOLATION (1 references)
pkts bytes target prot opt in out source destination
1340M 1496G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 3676K packets, 277M bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 10.10.10.4 tcp dpt:443 to:10.10.10.106:443
0 0 DNAT tcp -- * * 0.0.0.0/0 10.10.10.4 tcp dpt:8443 to:10.10.10.50:10000
0 0 DNAT tcp -- * * 0.0.0.0/0 10.10.10.4 tcp dpt:5223 to:10.10.10.50:4040
0 0 DNAT tcp -- * * 0.0.0.0/0 10.10.10.4 tcp dpt:4040 to:10.10.10.50:4040
0 0 DNAT tcp -- * * 0.0.0.0/0 10.10.10.4 tcp dpt:81 to:10.10.10.4:80
24172 6451K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 165K packets, 65M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 53577 packets, 6455K bytes)
pkts bytes target prot opt in out source destination
3390 251K DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 622 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
3506K 210M MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
67578 8512K MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:22
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
5716 343K DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:32180 to:172.17.0.2:80
1133 67980 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:32122 to:172.17.0.2:22