Estoy intentando agregar un invitado KVM (Ubuntu 18.04) a la red local como otros servidores reales en la red. Configuré la interfaz de puente KVM en el sistema host (Ubuntu 18.04) y funciona bien con la conexión. El sistema host es accesible a través de la red local a otros servidores.
Configuración de netplan para el sistema host:
$ cat 01-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
eno1:
dhcp4: false
bridges:
br0:
interfaces: [eno1]
addresses: [192.168.1.105/24]
gateway4: 192.168.1.1
nameservers:
addresses: [x.x.x.x, x.x.x.x]
dhcp4: false
ip asalida que muestra la interfaz del puente:
10697: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 62:cb:37:3c:c0:70 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.105/24 brd 192.168.1.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::60cb:37ff:fe3c:c070/64 scope link
valid_lft forever preferred_lft forever
Creé la interfaz de red KVM usando el puente br0
virsh net-edit br0producción:
<network>
<name>br0</name>
<uuid>d277e3d1-b34e-4b1f-ae69-6a3c8f75626c</uuid>
<forward mode='bridge'/>
<bridge name='br0'/>
</network>
developer@serv31:~$ virsh net-list
Name State Autostart Persistent
----------------------------------------------------------
br0 active yes yes
default active yes yes
Información de la interfaz del dominio invitado KVM:
<interface type='network'>
<mac address='52:54:00:14:dc:af'/>
<source network='br0'/>
<model type='rtl8139'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
En la VM invitada configuré netplan para darle una IP estática. Arrancó con la IP configurada.
$ cat 50-cloud-init.yaml
network:
version: 2
ethernets:
ens3:
addresses: [192.168.1.50/24]
gateway4: 192.168.1.1
nameservers:
addresses: [x.x.x.x, x.x.x.x]
dhcp4: false
Salida de VM invitada ip a:
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:14:dc:af brd ff:ff:ff:ff:ff:ff
inet 192.168.1.50/24 brd 192.168.1.255 scope global ens3
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe14:dcaf/64 scope link
valid_lft forever preferred_lft forever
La VM invitada puede comunicarse con el sistema host (ping, telnet), el sistema host puede comunicarse con la VM invitada. Pero ningún otro servidor en la red puede llegar a la VM invitada, y la VM invitada tampoco puede acceder a Internet. Por favor ayúdame a solucionar esto. Déjame saber si necesitas más información.
EDITAR :
ip linkproducción :
:~$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP mode DEFAULT group default qlen 1000
link/ether 00:21:9b:9a:f2:be brd ff:ff:ff:ff:ff:ff
3: eno2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 00:21:9b:9a:f2:c0 brd ff:ff:ff:ff:ff:ff
4: eno3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 00:21:9b:9a:f2:c2 brd ff:ff:ff:ff:ff:ff
5: eno4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 00:21:9b:9a:f2:c4 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:b3:0f:d6:24 brd ff:ff:ff:ff:ff:ff
9: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:56:08:1e brd ff:ff:ff:ff:ff:ff
10: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:56:08:1e brd ff:ff:ff:ff:ff:ff
19219: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether fe:54:00:14:dc:af brd ff:ff:ff:ff:ff:ff
8744: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether fe:54:00:6f:20:0f brd ff:ff:ff:ff:ff:ff
10950: vnet2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether fe:54:00:c1:0e:86 brd ff:ff:ff:ff:ff:ff
10697: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 62:cb:37:3c:c0:70 brd ff:ff:ff:ff:ff:ff
10971: vnet3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether fe:54:00:a4:13:1c brd ff:ff:ff:ff:ff:ff
reglas de iptable que contienen virbr0 y br0
:~$ sudo iptables-save | grep br0
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o br0 -j MASQUERADE
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i br0 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i virbr0 -o br0 -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
Respuesta1
sudo iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
sudo iptables -A FORWARD -i br0 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i virbr0 -o br0 -j ACCEPT
sudo iptables -I FORWARD 1 -i br0 -o br0 -j ACCEPT
Las reglas anteriores solucionaron el problema.