KVM networking and iptables

I was writting a python script to query suse manager api to get some data about systems that are bare-metal. So no VM. I installed my spare laptop and wanted to register it against my SUSE Manager installed in a VM on my other laptop that has KVM and hosting all my lab VMs.

The challenge is how to use suse manager that running in a VM on an KVM host manage other systems in physical networks.

SUSE Manager (eth0) is on VM1 and it is using KVM NAT network (virbr0 and vnet1) and should manage host 2 that is reachable via Host1 host network (WLAN).

Host 1 is a KVM hypervisor host running Linux and Host 2 is another linux. Both host 1 and 2 are in same physical network via WLAN and both have wireless network cards.

SUSE Manager VM is currently only using a KVM NAT network interface.

KVM - VM1 on Host1 <------> Host 2

Steps to get the network working:

1. on KVM Host 1 create a new kvm network "new-net1" of type "bridge" with ip subnet e.g. 192.168.100.0/24

2. on KVM Host 1 attach a new network interface of the "new-net1" network to the VM on host 1. Boot up the VM 1. The VM will get a new nic "eth1" if only eth0 is available and assigne a ip to eth1 e.g. 192.168.100.100.

3. on Host 2 that should be managed by SUSE Manager we add an ip route e.g.

ip route add 192.168.100.0/24 via 192.168.2.250

192.168.100.0/24 - is the "new-net1" (virbr2) network on KVM Host 1

192.168.2.250 - is the IP of KVM Host 1 (wlp2s0 - WLAN nic)

4. on KVM Host 1 add one iptable NAT rule to masquerade the source ip.

sudo iptables -t nat -A POSTROUTING -o virbr2 -j MASQUERADE

Why do we need this?

-A POSTROUTING -o virbr2 -j MASQUERADE - means for all packets that arrive on KVM Host 1 but need to go further out via virbr2 to reach 192.168.100.0/24 and 192.168.100.100 which is the IP of SUSE Manager VM the source ip will be changed to the ip of KVM Host 1 (MASQUERADEed)

NOW host 2 is able to reach (ssh, ping, https etc.) the VM1 on Host 1

To verify and see the iptable rules run command:

sudo iptables -t nat -L -v --line-numbers

Chain POSTROUTING (policy ACCEPT 34792 packets, 2412K bytes)

num pkts bytes target prot opt in out source destination

1 32 2311 RETURN all -- any any 192.168.122.0/24 base-address.mcast.net/24

2 0 0 RETURN all -- any any 192.168.122.0/24 255.255.255.255

3 1455 87304 MASQUERADE tcp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535

4 13 962 MASQUERADE udp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535

5 2 168 MASQUERADE all -- any any 192.168.122.0/24 !192.168.122.0/24

6 300 18141 MASQUERADE all -- any virbr2 anywhere anywhere

If you want to delete the rules run this command with the number of the respective rule.

sudo iptables -t nat -D 6

References:

German - https://www.karlrupp.net/de/computer/nat_tutorial

Diese Webseite verwendet Cookies. Durch die weitere Nutzung stimmen Sie der Verwendung von Cookies zu.
Einverstanden