kvm虚拟化小结(二)nat上网
KVM安装完成后,有两连网络配置连接模式 —— 一种是nat上网方式(virbr0网卡连接),一种是bridge(br0、br1等方式连接)方式。由于虚拟机安装后,一般我们都会配置一个连接virbr0的一个nat网卡用于共享上网,所以这里主要说下通过宿主机的iptables配置实现192.168.122.X网段的KVM虚拟机在配置完成后可以直接上网操作。
1、开启路由转发
打开/etc/sysctl.conf文件,找到ip_forward项,将其改为如下:
1net.ipv4.ip_forward = 1
2、更改iptables配置如下:
1[root@localhost qemu]# cat /etc/sysconfig/iptables
2*nat
3:PREROUTING ACCEPT [193:185421]
4:POSTROUTING ACCEPT [177:10242]
5:OUTPUT ACCEPT [4:320]
6-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
7-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
8-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
9COMMIT
10# Completed on Tue Jul 9 11:23:56 2013
11# Generated by iptables-save v1.4.7 on Tue Jul 9 11:23:56 2013
12*filter
13:INPUT ACCEPT [0:0]
14:FORWARD ACCEPT [0:0]
15:OUTPUT ACCEPT [549:80184]
16-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
17-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
18-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
19-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
20-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
21-A INPUT -p icmp -j ACCEPT
22-A INPUT -i lo -j ACCEPT
23-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
24-A INPUT -j REJECT --reject-with icmp-host-prohibited
25-A FORWARD -d 192.168.122.0/24 -i br1 -j ACCEPT
26-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
27-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
28-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
29-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
30-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
31-A FORWARD -j REJECT --reject-with icmp-host-prohibited
32COMMIT
33# Completed on Tue Jul 9 11:23:56 2013
34# Generated by iptables-save v1.4.7 on Tue Jul 9 11:23:56 2013
35*mangle
36:PREROUTING ACCEPT [56905:10171652]
37:INPUT ACCEPT [553:43971]
38:FORWARD ACCEPT [56352:10127681]
39:OUTPUT ACCEPT [549:80184]
40:POSTROUTING ACCEPT [56901:10207865]
41-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
42COMMIT
43# Completed on Tue Jul 9 11:23:56 2013
44# Generated by iptables-save v1.4.7 on Tue Jul 9 11:23:56 2013
更改完iptables的配置后,重启iptabls服务加载生效。
最后这里也顺带提下bridge桥接模式的配置,启用桥模式只需要在虚拟机的相应的xml文件中,将虚拟机对应的网卡配置更改为如下即可:
1 <interface type='bridge'>
2 <mac address='52:54:00:f9:bd:b8'/>
3 <source bridge='br0'/>
其中br0为宿主主机物理网口(如eth0) bridge的接口。
如果不需要nat方式的virbr0网口,也可以通过下面的方式删除(不推荐删除):
1# virsh net-destroy default
2# virsh net-undefine default
3# service libvirtd restart
各网络接口桥接对应关系也可以通过下面的命令查看:
1[root@localhost qemu]# brctl show
2bridge name bridge id STP enabled interfaces
3br0 8000.c81f66bbe018 no em1
4virbr0 8000.52540081c656 yes virbr0-nic
5 vnet0
6 vnet1
捐赠本站(Donate)
如您感觉文章有用,可扫码捐赠本站!(If the article useful, you can scan the QR code to donate))
- Author: shisekong
- Link: https://blog.361way.com/kvm-nat-access-internet/3156.html
- License: This work is under a 知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议. Kindly fulfill the requirements of the aforementioned License when adapting or creating a derivative of this work.