I have single NIC Host on Centos 7, which I want to make virtualization using KVM-Qemu.
HOST
The Host IP is
192.168.1.110
and the interface is enp0s31f6
I have deleted the "default" NAT configuration from libvirt.
Then I created 2 interface from virt-manager, which is
virsh net-list
Name State Autostart Persistent
----------------------------------------------------------
ext active yes yes
int active yes yes
virsh net-dumpxml ext
<network connections='1'>
<name>ext</name>
<uuid>99ea2f5d-8557-4141-9e90-0ac0619a6261</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr2' stp='on' delay='0'/>
<mac address='52:54:00:41:32:d9'/>
<domain name='ext'/>
<ip address='172.16.2.1' netmask='255.255.255.0'>
<dhcp>
<range start='172.16.2.128' end='172.16.2.254'/>
</dhcp>
</ip>
</network>
virsh net-dumpxml int
<network connections='2'>
<name>int</name>
<uuid>bcc129a2-0d06-4a44-903b-60181f7cbb48</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr3' stp='on' delay='0'/>
<mac address='52:54:00:ef:7a:ee'/>
<domain name='int'/>
<ip address='10.1.1.1' netmask='255.255.255.0'>
<dhcp>
<range start='10.1.1.128' end='10.1.1.254'/>
</dhcp>
</ip>
</network>
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 enp0s31f6
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr3
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 enp0s31f6
172.16.2.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s31f6
iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 10.1.1.0/24 224.0.0.0/24
0 0 RETURN all -- * * 10.1.1.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 10.1.1.0/24 !10.1.1.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 10.1.1.0/24 !10.1.1.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 10.1.1.0/24 !10.1.1.0/24
0 0 RETURN all -- * * 172.16.2.0/24 224.0.0.0/24
0 0 RETURN all -- * * 172.16.2.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 172.16.2.0/24 !172.16.2.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 172.16.2.0/24 !172.16.2.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 172.16.2.0/24 !172.16.2.0/24
0 0 RETURN all -- * * 172.16.2.0/24 224.0.0.0/24
0 0 RETURN all -- * * 172.16.2.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 172.16.2.0/24 !172.16.2.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 172.16.2.0/24 !172.16.2.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 172.16.2.0/24 !172.16.2.0/24
0 0 RETURN all -- * * 10.1.1.0/24 224.0.0.0/24
0 0 RETURN all -- * * 10.1.1.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 10.1.1.0/24 !10.1.1.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 10.1.1.0/24 !10.1.1.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 10.1.1.0/24 !10.1.1.0/24
0 0 MASQUERADE all -- * enp0s31f6 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * enp0s31f6 10.1.1.0/24 0.0.0.0/0
iptables -vnL
Chain INPUT (policy ACCEPT 83 packets, 8441 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr3 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
41 5578 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr3 0.0.0.0/0 10.1.1.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr3 * 10.1.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr3 virbr3 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr3 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr3 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * virbr2 0.0.0.0/0 172.16.2.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr2 * 172.16.2.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * virbr2 0.0.0.0/0 172.16.2.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr2 * 172.16.2.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr2 virbr2 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr2 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr2 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * virbr3 0.0.0.0/0 10.1.1.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr3 * 10.1.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr3 virbr3 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr3 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr3 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 ACCEPT all -- enp0s31f6 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * enp0s31f6 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 36 packets, 4389 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr3 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT udp -- * virbr2 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT udp -- * virbr2 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT udp -- * virbr3 0.0.0.0/0 0.0.0.0/0 udp dpt:68
10 664 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
GUEST
in Guest, I have 2 vm, vm1 attached with both int
and ext
interface, vm2 attached with int
interface.
vm1
eth0 10.1.1.12/24
eth1 172.16.2.12/24 ( I left the dns column blank)
vm2
eth0 10.1.1.13/24
and I am using NetworkManager to manage the network.
The problem is
-
vm2 won't connect to the outside world or ping other guest (vm1), even if I let the DHCP to assign the address. However, if I attached vm2 with 'ext' interface and let the DHCP to assign the IP, it can connect and ping to outside world. (this also happened in vm1)
-
When I assign static IP to vm1 and vm2, the connection is stop.
-
I have add the
interface=int
and try withinterface=virbr0
also in/etc/dnsmasq.conf
but still nothing happen.
Basically, my intention is that both ext and int can connect to the Internet, it is used for just function separation only.
Any help are appreciated.
Best Answer
Input and output tables are used for local processes on the host server. Virtual machines are not local processes.
In forward table move next line to the end of table:
Output table has many duplications and all rules and default permission allow all.