I have Ubuntu 14.04 (64 bits) + KVM Host with 2 NICs:
- eth0 connected to the "public" network
- eth1 connected to the br0 bridge with a private ip address range
From Host I can access internet, ping VM Guest and connect to it via SSH.
From VM Guest I can only ping Host, but cannot access Internet and cannot ping google.com
Please help me with connecting VM Guest to the internet in the setup described below:
On Host:
/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.2.60
netmask 255.255.255.0
gateway 192.168.2.254
dns-nameservers 8.8.8.8
auto eth1
iface eth1 inet manual
auto br0
iface br0 inet static
address 10.0.0.1
netmask 255.255.255.0
bridge_ports eth1
bridge_stp off
bridge_maxwait 0
bridge_fd 0
# Create and destroy the bridge automatically.
pre-up brctl addbr br0
ip link set dev br0 up
post-up /usr/sbin/brctl setfd br0 0 addif br0 eth1
post-down brctl delbr br0
KVM Network is defined as:
br0-net
9d24b473-0b4d-4cfa-8b12-7bf267d856ae
# sysctl -p /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.2.254 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
On VM Guest:
/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.0.0.11
netmask 255.255.255.0
Guest xml is defined as
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Ping KVM Host from Guest does work for 10.0.0.1 and 192.168.2.60:
$ ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.555 ms
$ ping 192.168.2.60
PING 192.168.2.60 (192.168.2.60) 56(84) bytes of data.
64 bytes from 192.168.2.60: icmp_seq=1 ttl=64 time=0.772 ms
Ping a different computer 192.168.2.3 from Guest does not work:
--- 192.168.2.3 ping statistics ---
277 packets transmitted, 0 received, 100% packet loss, time 276399ms
Ping google.com from Guest does not work:
ping: unknown host google.com
Answer
I think you are missing a iptable rule for the masquerade
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
No comments:
Post a Comment