I tried to connect the KVM VM from another host.
- KVM Host (HostA) 192.168.0.100
- KVM VM (VM) 192.168.122.100
- Another Host (HostB) 192.168.0.200
Problem
I wanted to connect VM from HostB. Because the HostA is using WiFi, I can’t use bridge interface. So I have to add route setting as follows on HostB.
(HostB) $ sudo ip r a 192.168.122.0/24 via 192.168.0.100On HostA, there is already route setting created by libvirt and ip forwarding is enabled.
(HostA) $ sudo ip r s 192.168.122.0/24
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
(HostA) $ sudo sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1So I thought I can connect VM from Another host, but I still can’t.
(HostB) $ ping 192.168.122.100
PING 192.168.122.100 (192.168.122.100) 56(84) bytes of data.
From 192.168.0.100 icmp_seq=1 Destination Port UnreachableReason
Finally I found that there is a firewall rule that prohibited forwarding.
(HostA) $ sudo iptables -t filter -L LIBVIRT_FWI -nv
Chain LIBVIRT_FWI (1 references)
625 3070K ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
448 37632 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableIt seems that only existing connection is allowed and others rejected. After I added a rule as follows, it turned to work well.
(HostA) $ sudo iptables -t filter -I LIBVIRT_FWI -o virbr0 -j ACCEPT -d 192.168.122.0/24
(HostA) $ sudo iptables -t filter -L LIBVIRT_FWI -nv
Chain LIBVIRT_FWI (1 references)
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24
625 3070K ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
448 37632 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable(HostB) $ ping 192.168.122.100
PING 192.168.122.100 (192.168.122.100) 56(84) bytes of data.
64 bytes from 192.168.122.100: icmp_seq=1 ttl=127 time=10.7 ms