[SOLVED] DHCP assigned guests not able to communicate to host

[sscheib]

Hello,

I'm trying to use a seperate subnet for the VMs on the host system and route them through the hosts main IP.
However I can ping the guest from the host but not vice versa and I really don't know why.

Network configuration on the host:

auto lo
iface lo inet loopback


auto vmbr0
iface vmbr0 inet static
address         5.9.x.x
netmask         255.255.255.224
broadcast       5.9.x.x
gateway         5.9.x.x
bridge_ports    eth0
bridge_stp      off
bridge_fd       1
bridge_hello    2
bridge_message  12
pre-up /sbin/ip addr flush dev eth0 || true


auto vmbr10
iface vmbr10 inet static
    address 10.10.200.1
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '10.10.200.1/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.10.200.1/24' -o vmbr0 -j MASQUERADE

I'm using isc-dhcp-server as DHCP server. The configuration looks as follows:

ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "pve.mydomain.tld";
option domain-name-servers 62.113.203.55, 130.255.78.223, 62.113.203.99, 185.133.72.100, 93.170.96.235;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# A slightly different configuration for an internal subnet.
subnet 10.10.200.0 netmask 255.255.255.0 {
   range 10.10.200.100 10.10.200.200;
   option domain-name-servers 62.113.203.55, 130.255.78.223, 62.113.203.99, 185.133.72.100, 93.170.96.235;
   option domain-name "pve.mydomain.tld";
   option routers 10.10.200.1;
   default-lease-time 600;
   max-lease-time 7200;
}

Below my iptables:

# Generated by iptables-save v1.4.21 on Tue May  9 19:41:11 2017
*nat
:PREROUTING ACCEPT [12948:1788360]
:INPUT ACCEPT [739:38704]
:OUTPUT ACCEPT [12782:831153]
:POSTROUTING ACCEPT [12777:830805]
-A POSTROUTING -s 10.10.200.0/24 -o vmbr0 -j MASQUERADE
COMMIT
# Completed on Tue May  9 19:41:11 2017
# Generated by iptables-save v1.4.21 on Tue May  9 19:41:11 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29380:4158991]
:PSAD_BLOCK_FORWARD - [0:0]
:PSAD_BLOCK_INPUT - [0:0]
:PSAD_BLOCK_OUTPUT - [0:0]
:fail2ban-nginx-noscript - [0:0]
:fail2ban-ssh - [0:0]
-A INPUT -j PSAD_BLOCK_INPUT
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-nginx-noscript
-A INPUT -s 5.9.67.166/32 -j DROP
-A INPUT -s 81.175.2.26/32 -j DROP
-A INPUT -s 138.68.164.245/32 -j DROP
-A INPUT -j LOG --log-prefix "PSAD_LOG: " --log-level 7
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -d 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m multiport --dports 1905 -j fail2ban-ssh
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1905 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
-A FORWARD -j PSAD_BLOCK_FORWARD
-A FORWARD -j LOG --log-prefix "PSAD_LOG: " --log-level 7
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j DROP
-A OUTPUT -j PSAD_BLOCK_OUTPUT
-A fail2ban-nginx-noscript -s 158.69.159.61/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-nginx-noscript -j RETURN
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Tue May  9 19:41:11 2017

On the guest the ip address gets assigned as expected (my test VM gets the ip 10.10.200.100), but I cannot reach anything from the guest system.

Thanks in advance for any help!

 

[sscheib]

Okay .. found the issue myself ..
In case anybody comes here with the very same problem - which I doubt is likely - the solution was to allow the traffic on the interface at all as the default policy was to drop it, the packets never came through.

-A INPUT -i vmbr10 -j ACCEPT