All I got when trying to resolve a name inside any of my virtual machines was
ping: unknown host google.com
So I used tcpdump to debug the problem.
In the Hardware Node (HN) I executed:
# tcpdump -i venet0
And then tried to reach Google from a VE, getting this on the tcpdump output:
20:49:15.876485 IP 192.168.0.131.32943 > router.lan.domain: 36989+ A? google.com. (27)
20:49:16.207800 IP OpenVZ.lan > 192.168.0.131: ICMP host router.lan unreachable - admin prohibited, length 63
20:49:16.213804 IP 192.168.0.131.32943 > router.lan.domain: 36989+ A? google.com. (27)
20:49:16.215820 IP OpenVZ.lan > 192.168.0.131: ICMP host router.lan unreachable - admin prohibited, length 63
So it seemed to indicate that there was a problem with iptables.
Executing:
# iptables --list
I found that the cause of the problem was this last rule:
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
So I commented the corresponding line in /etc/sysconfig/iptables
#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
I restarted iptables
# /etc/init.d/iptables restart
And now it works.
For further information on iptables look at:
Quick HOWTO : Ch14 : Linux Firewalls Using iptables
No comments:
Post a Comment