[libvirt-users] KVM NAT stops from working

[Laine Stump]

On 9/2/19 10:31 AM, Francesc Guasch wrote:
> Hi. First of all thank you for the work you are doing with libvirt.
> I am not sure this is the right place to ask, I'd appreciate
> if you can give me any hint or directions.
> 
> I have several similar KVM Linux boxes and one of them has a really
> strange behavior with the KVM NAT: It just suddenly stops from
> working.
> 
> This is a Linux Ubuntu Server 19.04 with
>   - libvirt-bin 4.0.0
>   - qemu-kvm 1:2.11
> 
> Everything works fine and then suddenly the virtual machines
> can't reach outside. If I run a tcpdump in the host I see
> the NAT isn't working.
> 
> When the server just boots I can see the packets with the
> server address going out:
> 
>      x.y.z.w.49138 > 8.8.8.8.53
> 
> Then, it may be some hours or days later, instead the server
> address I see the internal domains address:
> 
> 
>      192.168.122.33.19132 > 8.8.8.8.53
>      ^^^^^^^^^^^^^^
> 
> I try to restart the iptables but it won't help.
> 
> Any hints ? Thank you very much

1) On a freshly booted machine with running clients connected to 
libvirt's default network (and successfully sending/receiving traffic, 
of course :-), get a dump of all active iptables rules with

    iptables-save >iptables-working.txt

2) At whatever later time when you notice that the NAT is no longer 
working properly, get another dump of all the rules with

    iptables-save >iptables-broken.txt

and compare those two files to see what has changed.

Most likely some other piece of software (a firewall management utility 
maybe?) has loaded a new rule that takes precedence over one of the 
rules added by libvirt.

If seeing the rule that was added doesn't point you at the culprit, you 
can see if restarting libvirtd will fix your problem - whenever libvirtd 
is restarted, all iptables rules associated with libvirt's virtual 
networks are reloaded (which will put them back at the beginning of the 
chain, thus fixing any broken precedence).