Ich habe eine libvirt KVM VM (mit dem Namen netstuff), die über eine Brücke (br0) läuft, die zwei Slaves hat: (em2) eine physische Hostschnittstelle und (vnet0) die virtuelle Netzwerkkarte. dnsmasq-dhcp befindet sich auf dem Host und stellt der VM und anderen physischen Hosts IP-Adressen bereit.
Ich kann überall auf 192.168.1.0/24 routen, auch zwischen VM und Hardware, aber die VM kann nicht zum anderen Netzwerk oder zum Internet routen. Wenn der Datenverkehr vom Gast zum Host geleitet wird, scheint er nicht von der Brücke zur Schnittstelle em1 geroutet zu werden, die die Standardroute hat.
Helfen?
Hosten Sie libvirt XML:
# virsh dumpxml netstuff
... snip ...
<interface type='bridge'>
<mac address='52:54:00:27:c4:22'/>
<source bridge='br0'/>
<target dev='vnet0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
... snip ...
IP-Routen des Hosts:
# ip r
default via XXX.99.126.1 dev em1
169.254.0.0/16 dev em1 scope link metric 1002
169.254.0.0/16 dev br0 scope link metric 1004
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
XXX.99.126.0/27 dev em1 proto kernel scope link src XXX.99.126.4
Host-NICs:
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether d4:ae:52:9d:73:c2 brd ff:ff:ff:ff:ff:ff
inet XXX.99.126.4/27 brd XXX.99.126.31 scope global em1
valid_lft forever preferred_lft forever
inet6 fe80::d6ae:52ff:fe9d:73c2/64 scope link
valid_lft forever preferred_lft forever
3: em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP qlen 1000
link/ether d4:ae:52:9d:73:c3 brd ff:ff:ff:ff:ff:ff
inet6 fe80::d6ae:52ff:fe9d:73c3/64 scope link
valid_lft forever preferred_lft forever
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether d4:ae:52:9d:73:c3 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::d6ae:52ff:fe9d:73c3/64 scope link
valid_lft forever preferred_lft forever
5: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN qlen 1000
link/ether fe:54:00:27:c4:22 brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe27:c422/64 scope link
valid_lft forever preferred_lft forever
Hosten Sie iptables:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-is-bridged
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
FWDI_public all -- anywhere anywhere [goto]
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
FWDO_public all -- anywhere anywhere [goto]
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (3 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (3 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere multiport dports ssh match-set fail2ban-sshd src reject-with icmp-port-unreachable
Chain IN_public (3 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootps ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
Gast-IP-Routen:
ssh [email protected]
Last login: Sat Apr 8 05:29:55 2017 from 192.168.1.1
[centos@netstuff ~]$ ip r
default via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.76
[centos@netstuff ~]$
Gast-NICs:
[centos@netstuff ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:27:c4:22 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.76/24 brd 192.168.1.255 scope global dynamic eth0
valid_lft 2978sec preferred_lft 2978sec
inet6 fe80::5054:ff:fe27:c422/64 scope link
valid_lft forever preferred_lft forever
Antwort1
defaultEs stellte sich heraus, dass dies ohne NAT nicht möglich ist, also habe ich das NAT-Netzwerk mit .libvirt reaktiviert virsh net-start default. Die Verwendung von dnsmasq durch libvirt achtet darauf, dass der DHCP-Server nur auf der Schnittstelle ausgeführt wird, die er erstellt. Ich habe also einfach sichergestellt, dass das dnsmasq, das ich auf dem Host eingerichtet habe, nicht mit dem von libvirt erstellten dnsmasq interagiert. Dazu /etc/dnsmasq.confhabe ich dnsmasq in bind-interfacesden -Modus versetzt und es gezwungen, auf der von mir erstellten Brücke (br0) zu lauschen, indem ich die statische IP angegeben habe, die ich ihm zugewiesen habe: 192.168.1.1
listen-address=192.168.1.1
bind-interfaces
Und natürlich:
systemctl restart dnsmasq
Die FAQ zu DNSMASQ sowie die Einstellungen „Bind-Interface“ und „Bind-Dynamic“ finden Sie hier. http://www.thekelleys.org.uk/dnsmasq/docs/FAQ