Here is the output: ----------------------------------------- [root@dc01cloudkvm01 ~]# systemctl status firewalld รข firewalld.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead)
--------------------------------------------- [root@dc01cloudkvm01 ~]# iptables-save # Generated by iptables-save v1.4.21 on Sat Feb 6 23:46:44 2016 *mangle :PREROUTING ACCEPT [1306448:4376908074] :INPUT ACCEPT [1185701:4364833786] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1294026:2863147676] :POSTROUTING ACCEPT [1294026:2863147676] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT # Completed on Sat Feb 6 23:46:44 2016 # Generated by iptables-save v1.4.21 on Sat Feb 6 23:46:44 2016 *nat :PREROUTING ACCEPT [120793:12078892] :INPUT ACCEPT [46:4604] :OUTPUT ACCEPT [1446:103514] :POSTROUTING ACCEPT [1446:103514] -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE COMMIT # Completed on Sat Feb 6 23:46:44 2016 # Generated by iptables-save v1.4.21 on Sat Feb 6 23:46:44 2016 *filter :INPUT ACCEPT [1185701:4364833786] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1294026:2863147676] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT COMMIT # Completed on Sat Feb 6 23:46:44 2016 ----------------------- -----Original Message----- From: Nux! [mailto:[email protected]] Sent: Saturday, February 6, 2016 5:38 PM To: [email protected] Subject: Re: Guest VMs cannot access Internet That's not you check it, CentOS 7 now comes with firewalld and the iptables-services are not installed by defaut. "iptables-save" will output the current state of the firewall -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Sean Lair" <[email protected]> > To: [email protected] > Sent: Saturday, 6 February, 2016 22:56:23 > Subject: RE: Guest VMs cannot access Internet > Thanks for the response! the iptables service is currently stopped: > > # systemctl stop iptables > Failed to stop iptables.service: Unit iptables.service not loaded. > > -----Original Message----- > From: Nux! [mailto:[email protected]] > Sent: Saturday, February 6, 2016 4:13 PM > To: [email protected] > Subject: Re: Guest VMs cannot access Internet > > Hi Sean, > > Have you double checked iptables rules are correct (or disabled) on > the underlying KVM hypervisor? > > Lucian > > -- > Sent from the Delta quadrant using Borg technology! > > Nux! > www.nux.ro > > ----- Original Message ----- >> From: "Sean Lair" <[email protected]> >> To: [email protected] >> Sent: Saturday, 6 February, 2016 21:47:19 >> Subject: Guest VMs cannot access Internet > >> Hi all, >> >> I'm having an issue I'm hoping you can assist with. Brand new >> Cloudstack 4.8 deployment running on CentOS7 and KVM hypervisors. >> Using advanced networking with VLAN isolation. >> >> Deploying new VMs using the default CentOS5.5 instance works great. >> The virtual router is deployed as expected to perform source NAT. If >> I log into the virtual router, it can ping the Internet and the guest >> VMs. The guest VMs can ping each other as they are on the same >> subnet. The virtual router has an Internet public IP it is using for >> Source NAT. >> >> The guest VMs however cannot access the Internet. Under the public >> IP address [Source NAT] -> Firewall, I'm allowing 0.0.0.0/0 ICMP with >> "-1" for ICMP Type and code. For the Egress rules for the guest >> network, I have 0.0.0.0/0 All protocols and All ports. I can ping >> the outside of the virtual router (public >> IP) from the Internet. >> >> From my troubleshooting above I'm guessing it is something to do with >> the virtual router, but am not sure how to troubleshoot next. >> >> Thanks in advance for any assistance. >> >> Thanks > > Sean
