I have a public ip block 51.x.x.16/28 that I'm trying to use with libvirt/qemu VMs. Inside the VM (ip 51.x.x.18) I'm trying to create an outbound tcp connection (http).
Using tcpdump on the host I can see that SYN and SYN-ACK are sent and received. However inside the VM the SYN-ACK is never received (no trace on tcpdump and connect stuck).
I have connectivity from the VM to the bridge (brtest) and host interface (eno1). From the host I can also connect to the VM. What can be causing this? I've attached the bridge configuration, tcpdump, iptables (rules created by libvirt) and ifconfig below.
brtest.xml
<network>
<name>test</name>
<bridge name="brtest"/>
<forward mode="route" dev="eno1" />
<ip address="51.x.x.30" netmask="255.255.255.240">
<dhcp>
<host mac="02:xx:xx:xx:xx:49" ip="51.x.x.18"/>
</dhcp>
</ip>
</network>
tcpdump -n -i eno1
02:07:11.125655 IP 51.x.x.18.51236 > 76.x.x.173.80: Flags [S], seq 2472740296, win 64240, options [mss 1460,sackOK,TS val 3379788359 ecr 0,nop,wscale 7], length 0
02:07:11.135352 IP 76.x.x.173.80 > 51.x.x.18.51236: Flags [S.], seq 1083725147, ack 2472740297, win 65160, options [mss 1460,sackOK,TS val 2243378625 ecr 3379788359,nop,wscale 7], length 0
iptables -n -v -L
Chain INPUT (policy ACCEPT 401 packets, 43908 bytes)
pkts bytes target prot opt in out source destination
516 53705 LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
31 1876 LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0
31 1876 LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0
31 1876 LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 453 packets, 193K bytes)
pkts bytes target prot opt in out source destination
546 209K LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_FWI (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eno1 brtest 0.0.0.0/0 51.x.x.16/28
0 0 REJECT all -- * brtest 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWO (1 references)
pkts bytes target prot opt in out source destination
31 1876 ACCEPT all -- brtest eno1 51.x.x.16/28 0.0.0.0/0
0 0 REJECT all -- brtest * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- brtest brtest 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_INP (1 references)
pkts bytes target prot opt in out source destination
11 781 ACCEPT udp -- brtest * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- brtest * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
5 1585 ACCEPT udp -- brtest * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- brtest * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain LIBVIRT_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * brtest 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * brtest 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
4 1312 ACCEPT udp -- * brtest 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * brtest 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
ifconfig
brtest: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 51.x.x.30 netmask 255.255.255.240 broadcast 51.x.x.31
ether 52:xx:xx:xx:xx:fe txqueuelen 1000 (Ethernet)
RX packets 134 bytes 10118 (10.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 49 bytes 8781 (8.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 146.x.x.42 netmask 255.255.255.0 broadcast 146.x.x.255
inet6 fe80::xxxx:xxxx:xxxx:xxxx prefixlen 64 scopeid 0x20<link>
inet6 2001:xxxx:xxx:xxxx:: prefixlen 57 scopeid 0x0<global>
ether d0:xx:xx:xx:xx:14 txqueuelen 1000 (Ethernet)
RX packets 11073 bytes 1099048 (1.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5843 bytes 923130 (923.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethe57ac9e: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::249a:c8ff:fe26:f4c1 prefixlen 64 scopeid 0x20<link>
ether 26:xx:xx:xx:xx:c1 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 15 bytes 1226 (1.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:xx:xx:xx:xx:d2 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::xxxx:xx:xxxx:xxxx prefixlen 64 scopeid 0x20<link>
ether fe:xx:xx:xx:xx:49 txqueuelen 1000 (Ethernet)
RX packets 138 bytes 12591 (12.5 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 472 bytes 31107 (31.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
