Eu tenho um único NIC Host on Centos 7, que eu quero fazer virtualização usando o KVM-Qemu.
O IP do host é
192.168.1.110
e a interface é enp0s31f6
Eu deletei a configuração NAT "padrão" do libvirt.
Então eu criei 2 interfaces do virt-manager, que é
virsh net-list
Name State Autostart Persistent
----------------------------------------------------------
ext active yes yes
int active yes yes
virsh net-dumpxml ext
<network connections='1'>
<name>ext</name>
<uuid>99ea2f5d-8557-4141-9e90-0ac0619a6261</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr2' stp='on' delay='0'/>
<mac address='52:54:00:41:32:d9'/>
<domain name='ext'/>
<ip address='172.16.2.1' netmask='255.255.255.0'>
<dhcp>
<range start='172.16.2.128' end='172.16.2.254'/>
</dhcp>
</ip>
</network>
virsh net-dumpxml int
<network connections='2'>
<name>int</name>
<uuid>bcc129a2-0d06-4a44-903b-60181f7cbb48</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr3' stp='on' delay='0'/>
<mac address='52:54:00:ef:7a:ee'/>
<domain name='int'/>
<ip address='10.1.1.1' netmask='255.255.255.0'>
<dhcp>
<range start='10.1.1.128' end='10.1.1.254'/>
</dhcp>
</ip>
</network>
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 enp0s31f6
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr3
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 enp0s31f6
172.16.2.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s31f6
iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 10.1.1.0/24 224.0.0.0/24
0 0 RETURN all -- * * 10.1.1.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 10.1.1.0/24 !10.1.1.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 10.1.1.0/24 !10.1.1.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 10.1.1.0/24 !10.1.1.0/24
0 0 RETURN all -- * * 172.16.2.0/24 224.0.0.0/24
0 0 RETURN all -- * * 172.16.2.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 172.16.2.0/24 !172.16.2.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 172.16.2.0/24 !172.16.2.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 172.16.2.0/24 !172.16.2.0/24
0 0 RETURN all -- * * 172.16.2.0/24 224.0.0.0/24
0 0 RETURN all -- * * 172.16.2.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 172.16.2.0/24 !172.16.2.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 172.16.2.0/24 !172.16.2.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 172.16.2.0/24 !172.16.2.0/24
0 0 RETURN all -- * * 10.1.1.0/24 224.0.0.0/24
0 0 RETURN all -- * * 10.1.1.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 10.1.1.0/24 !10.1.1.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 10.1.1.0/24 !10.1.1.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 10.1.1.0/24 !10.1.1.0/24
0 0 MASQUERADE all -- * enp0s31f6 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * enp0s31f6 10.1.1.0/24 0.0.0.0/0
iptables -vnL
Chain INPUT (policy ACCEPT 83 packets, 8441 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
41 5578 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr3 0.0.0.0/0 10.1.1.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr3 * 10.1.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr3 virbr3 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr3 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr3 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * virbr2 0.0.0.0/0 172.16.2.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr2 * 172.16.2.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * virbr2 0.0.0.0/0 172.16.2.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr2 * 172.16.2.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * virbr3 0.0.0.0/0 10.1.1.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr3 * 10.1.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr3 virbr3 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr3 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr3 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 ACCEPT all -- enp0s31f6 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * enp0s31f6 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 36 packets, 4389 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr3 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT udp -- * virbr2 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT udp -- * virbr2 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT udp -- * virbr3 0.0.0.0/0 0.0.0.0/0 udp dpt:68
10 664 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
em Guest, tenho 2 vm, vm1 anexado com int e ext interface, vm2 anexado com int interface.
vm1
eth0 10.1.1.12/24
eth1 172.16.2.12/24 ( I left the dns column blank)
vm2
eth0 10.1.1.13/24
e estou usando o NetworkManager para gerenciar a rede.
vm2 não se conectará ao mundo externo nem executará ping em outro convidado (vm1), mesmo se eu permitir que o DHCP atribua o endereço. No entanto , se eu conectei vm2 com a interface 'ext' e deixo o DHCP atribuir o IP, ele pode conectar e pingar para o mundo externo. (isso também aconteceu em vm1)
Quando atribuo IP estático a vm1 e vm2, a conexão é interrompida.
Eu adicionei o interface=int e tentei com interface=virbr0 também em /etc/dnsmasq.conf , mas ainda assim nada aconteceu.
Basicamente, minha intenção é que tanto o ext quanto o int possam se conectar à Internet, ele é usado apenas para separação de funções.
Qualquer ajuda é apreciada.
As tabelas de entrada e saída são usadas para processos locais no servidor host. Máquinas virtuais não são processos locais.
Na tabela de encaminhamento, mova a próxima linha até o final da tabela:
REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
A tabela de saída tem muitas duplicações e todas as regras e permissão padrão permitem tudo.