KVM networking and iptables

I was writting a python script to query suse manager api to get some data about systems that are bare-metal. So no VM. I installed my spare laptop and wanted to register it against my SUSE Manager installed in a VM on my other laptop that has KVM and hosting all my lab VMs.

The challenge is how to use suse manager that running in a VM on an KVM host manage other systems in physical networks.

SUSE Manager (eth0) is on VM1 and it is using KVM NAT network (virbr0 and vnet1) and should manage host 2 that is reachable via Host1 host network (WLAN).

Host 1 is a KVM hypervisor host running Linux and Host 2 is another linux. Both host 1 and 2 are in same physical network via WLAN and both have wireless network cards.

SUSE Manager VM is currently only using a KVM NAT network interface.

KVM - VM1 on Host1 <------> Host 2

Steps to get the network working:

1. on KVM Host 1 create a new kvm network "new-net1" of type "bridge" with ip subnet e.g.

2. on KVM Host 1 attach a new network interface of the "new-net1" network to the VM on host 1. Boot up the VM 1. The VM will get a new nic "eth1" if only eth0 is available and assigne a ip to eth1 e.g.

3. on Host 2 that should be managed by SUSE Manager we add an ip route e.g.

ip route add via - is the "new-net1" (virbr2) network on KVM Host 1 - is the IP of KVM Host 1 (wlp2s0 - WLAN nic)

4. on KVM Host 1 add one iptable NAT rule to masquerade the source ip.

sudo iptables -t nat -A POSTROUTING -o virbr2 -j MASQUERADE

Why do we need this?

-A POSTROUTING -o virbr2 -j MASQUERADE - means for all packets that arrive on KVM Host 1 but need to go further out via virbr2 to reach and which is the IP of SUSE Manager VM the source ip will be changed to the ip of KVM Host 1 (MASQUERADEed)

NOW host 2 is able to reach (ssh, ping, https etc.) the VM1 on Host 1

To verify and see the iptable rules run command:

sudo iptables -t nat -L -v --line-numbers

Chain POSTROUTING (policy ACCEPT 34792 packets, 2412K bytes)

num pkts bytes target prot opt in out source destination

1 32 2311 RETURN all -- any any base-address.mcast.net/24

2 0 0 RETURN all -- any any

3 1455 87304 MASQUERADE tcp -- any any ! masq ports: 1024-65535

4 13 962 MASQUERADE udp -- any any ! masq ports: 1024-65535

5 2 168 MASQUERADE all -- any any !

6 300 18141 MASQUERADE all -- any virbr2 anywhere anywhere

If you want to delete the rules run this command with the number of the respective rule.

sudo iptables -t nat -D 6


German - https://www.karlrupp.net/de/computer/nat_tutorial

Diese Webseite verwendet Cookies. Durch die weitere Nutzung stimmen Sie der Verwendung von Cookies zu.