Virtual network connectiviy and iptables

Hi,

I have a frontend host that is also a node (i.e. it’s hosting VMs). On this host I modified the iptables to configure NAT, I also had to configure some forwarding rules:

iptables -tnat -A POSTROUTING -s 172.16.0.0/16 ! -d 172.16.0.0/16 -j MASQUERADE
iptables -A FORWARD -d 172.16.0.0/16 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 172.16.0.0/16 -i virbr1 -j ACCEPT
iptables -A FORWARD -i virbr1 -o virbr1 -j ACCEPT

This works, any VM created on this node can ping everything up to and including public IP addresses.

I have two other nodes as well that I can configure VMs on but when I do that they can only ping IPs in the virtual network and the physical IP of the frontend server, nothing else.

Am I supposed to configure these iptables rules on the remote nodes as well? I’ve tried but I keep hitting the same problem, that VMs on the remote nodes are not able to access the internet.

The resolution I found for this was to set promiscuous mode on the bridge. I don’t know if this is right or not but I’ve spent enough time on this now so I’m calling it a fix.

ip link set dev virbr1 promisc on

Note that this is not permanent, it gets reset on reboot, so I have created a /sbin/ifup-local script:

#!/bin/sh
IN=“$1”
STATUS=“$2”
case “$1” in
virbr1)
logger “$0: Configuring virbr1 as $STATUS …”
/sbin/ip link set dev virbr1 promisc on
;;

esac
exit 0

Feel free to adjust to your local environment.