KVM网络配置(三)—— 使用网桥NAT模式

 

简介

NAT(Network Address Translation,网络地址转换)。借助于NAT,私有(保留)地址的"内部"网络通过路由器发送数据包时,私有地址被转换成合法的IP地址,一个局域网只需使用少量IP地址(甚至是1个)即可实现私有地址网络内所有计算机与Internet的通信需求。

 

举个栗子!

guest IP:192.168.122.2
host IP  :10.200.200.100

虚拟机访问外部网络,数据包 ip 地址变化如下
192.168.122.2 --> www.baidu.com
10.200.200.100 --> www.baidu.com
www.baidu.com --> 10.200.200.100
www.baidu.com --> 192.168.122.2

 

NAT 模式 需要物理机内核支持 NAT 相关的选项

如下

#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_PROTO_DCCP=y
CONFIG_NF_NAT_PROTO_UDPLITE=y
CONFIG_NF_NAT_PROTO_SCTP=y
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_REDIRECT=m

检查 NAT 相关模块是否加载

[root@localhost ~]# lsmod | grep nat
nf_nat_masquerade_ipv4    13463  1 ipt_MASQUERADE
ebtable_nat            12807  1 
ip6table_nat           12864  1 
iptable_nat            12875  1 
ebtables               35009  3 ebtable_broute,ebtable_nat,ebtable_filter
ip6_tables             26912  5 ip6table_filter,ip6table_mangle,ip6table_security,ip6table_nat,ip6table_raw
ip_tables              27126  5 iptable_security,iptable_filter,iptable_mangle,iptable_nat,iptable_raw
nf_nat_ipv6            14131  2 openvswitch,ip6table_nat
nf_nat_ipv4            14115  2 openvswitch,iptable_nat
nf_nat                 26583  4 openvswitch,nf_nat_ipv4,nf_nat_ipv6,nf_nat_masquerade_ipv4
nf_conntrack          139264  8 openvswitch,nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_conntrack_ipv6
libcrc32c              12644  4 xfs,openvswitch,nf_nat,nf_conntrack
[root@localhost ~]#


所需软件包

bridge-utils:管理 bridge
iptables:设置 NAT 规则
dnsmasq:轻量级的 DHCP 和 DNS 服务器的工具

配置 NAT 模式 具体操作

创建 bridge,设置 bridge 的内网 IP

[root@localhost ~]# brctl addbr br0
[root@localhost ~]# brctl stp br0 on
[root@localhost ~]# ifconfig br0 192.168.22.1/24 up
[root@localhost ~]# 
[root@localhost ~]# brctl show
bridge name	bridge id		STP enabled	interfaces
br0		8000.000000000000	yes		
[root@localhost ~]# ifconfig br0
br0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.22.1  netmask 255.255.255.0  broadcast 192.168.22.255
        inet6 fe80::1cfd:6bff:fe33:cae5  prefixlen 64  scopeid 0x20<link>
        ether 00:00:00:00:00:00  txqueuelen 1000  (Ethernet)
        RX packets 842  bytes 125209 (122.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 257  bytes 26024 (25.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost ~]#


使能 ip_forward

[root@localhost ~]# 
[root@localhost ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@localhost ~]#


设置 iptables 的 NAT 规则

[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.22.0/24 ! -d 192.168.22.0/24 -j MASQUERADE
[root@localhost ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  192.168.22.0/24     !192.168.22.0/24     
     
[root@localhost ~]#


启动 dnsmasq 作为一个简单的 DHCP 服务器

[root@localhost ~]# dnsmasq --strict-order \
> --except-interface=lo \
> --interface=br0 \
> --listen-address=192.168.22.1 \
> --bind-interface \
> --dhcp-range=192.168.22.2,192.168.22.254 \
> --conf-file="" \
> --pid-file=/var/run/qemu-dhcp-br0.pid \
> --dhcp-leasefile=/var/run/qemu-dhcp-br0.leases \
> --dhcp-no-override
[root@localhost ~]# 
[root@localhost ~]# ps aux | grep dnsmasq
nobody   19113  0.0  0.0  53904  1096 ?        S    05:20   0:00 dnsmasq --strict-order --except-interface=lo --interface=br0 --listen-address=192.168.22.1 --bind-interface --dhcp-range=192.168.22.2,192.168.22.254 --conf-file= --pid-file=/var/run/qemu-dhcp-br0.pid --dhcp-leasefile=/var/run/qemu-dhcp-br0.leases
[root@localhost ~]#

创建一个 /etc/qemu-ifup 文件, 用于虚拟机启动后,将虚拟机的网络接口 tap 与 bridge 绑定

[root@localhost ~]# cat /etc/qemu-ifup 
#!/bin/bash
switch=br0
ifconfig $1 up
brctl addif $switch $1
[root@localhost ~]#

 

启动虚拟机验证

[root@localhost ~]# 
[root@localhost ~]# /usr/libexec/qemu-kvm centos70-64.qcow2 -enable-kvm -smp 2 -m 2G -device virtio-net-pci,netdev=vnet0 -netdev tap,id=vnet0 -monitor telnet::3333,server,nowait -serial stdio
VNC server running on ::1:5900

CentOS Linux 7 (Core)
Kernel 3.10.0-1127.el7.x86_64 on an x86_64

localhost login: root
Password: 
Last login: Thu May 20 07:19:40 on ttyS0
root@kvm-guest:~# ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::1598:9a63:7559:846f  prefixlen 64  scopeid 0x20<link>
        ether 9a:18:a1:09:f0:3c  txqueuelen 1000  (Ethernet)
        RX packets 2  bytes 149 (149.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16  bytes 2236 (2.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@kvm-guest:~# dhclient
root@kvm-guest:~# ifconfig -a
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.22.119  netmask 255.255.255.0  broadcast 192.168.22.255
        inet6 fe80::1598:9a63:7559:846f  prefixlen 64  scopeid 0x20<link>
        ether 9a:18:a1:09:f0:3c  txqueuelen 1000  (Ethernet)
        RX packets 19  bytes 3256 (3.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 58  bytes 9431 (9.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sit0: flags=128<NOARP>  mtu 1480
        sit  txqueuelen 1000  (IPv6-in-IPv4)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@kvm-guest:~# 
root@kvm-guest:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.22.1    0.0.0.0         UG    0      0        0 eth0
192.168.22.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
root@kvm-guest:~# 
root@kvm-guest:~# 
root@kvm-guest:~# cat /etc/resolv.conf
nameserver 192.168.22.1
root@kvm-guest:~# 
root@kvm-guest:~# ping www.baidu.com -c 5
PING www.a.shifen.com (110.242.68.3) 56(84) bytes of data.
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=1 ttl=49 time=32.4 ms
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=2 ttl=49 time=32.1 ms
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=3 ttl=49 time=37.8 ms
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=4 ttl=49 time=15.8 ms
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=5 ttl=49 time=26.2 ms

--- www.a.shifen.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 10ms
rtt min/avg/max/mdev = 15.767/28.843/37.801/7.500 ms
root@kvm-guest:~# 
root@kvm-guest:~#

 

恢复环境

删除 bridge

[root@localhost ~]# 
[root@localhost ~]# ifconfig br0 down
[root@localhost ~]# brctl delbr br0
[root@localhost ~]# brctl show
bridge name	bridge id		STP enabled	interfaces

 

删除 iptables 规则

删除 NAT 所有规则
[root@localhost ~]# iptables -t nat -F 
[root@localhost ~]# 

删除指定某条规则(查看: iptables -L -t nat --line-num)
[root@localhost ~]# iptables -t nat -D POSTROUTING 6

kill dnsmasq 进程

版权声明:本文为wozaiyizhideng原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。