Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I find myself in a position of having to set up something that is a bit over my head from a network perspective.
We (my coworkers and I) have a server colocated in our ISP's racks. The machine is hosting a number of kvm guests. These kvm guests are being provided for free as a service to the software development community in which we are involved, but we are running out of our allotment of static IP addresses, and are unable to pay for more.
We're only providing ssh and https access to these kvm guests, and the users of these guests don't have a problem with specifying a port. What we'd like to do is give the guests private IP addresses (10.0.0.0/8), use the existing static IPs on the host machines for access to all of them, and use NAT with iptables on the host, so that, from the outside, something like this:
ssh [public ip] -p 51000
will go to the normal ssh port on the guest having IP address 10.0.0.22. We'd do something similar for https access, and just keep using higher and higher port numbers for additional kvm guests.
My difficulty is that first, I don't know whether I need bridged, NAT, or host-only networking on the KVM side. If bridged, I don't know what interface I need to bridge the guest NICs to to make iptables NAT work this way, or what interfaces to specify in the iptables NAT rules.
Been a Linux software developer for years, and did Solaris administration for years too, but this kvm networking stuff makes me feel like a dumb newbie all over again.
Any pointers? If there's documentation online, my Google-fu is failing me.
The way I read your post, you already have a bunch of kvm guests up and running, and accessible over ssh and https. So you should know how to set up networking - or maybe someone else did that, but then you just need to check the config and use the same?
I haven't used kvm, only Xen, OpenVZ and VirtualBox, but I guess in kvm you use bridged networking.
I don't know anything about the host, does it have some kind of GUI - web or control panel of any kind - or is it only cli? What system is it running?
What you do is create a new nic for the guest and bridge it to hosts bridge if.
Then in iptables (running on host I assume? - dangerous, no real firewall then!) you forward from a public ip to the guests ip address.
If you need more info, please post the ip configuration of host ("ifconfig" or "ip addr") and answer the questions above.
The way I read your post, you already have a bunch of kvm guests up and running, and accessible over ssh and https. So you should know how to set up networking - or maybe someone else did that, but then you just need to check the config and use the same?
The host has its own public and static IP address, from a 216.xxx.xxx.xxx/27 block. Currently, the guests have public and static addresses from the same /27 block, all bridged to eth0. This configuration works, but we want to move the guests to a 10.0.0.0/8 network, and access their ssh and https ports (22 and 443) on the host's public address from higher ports (51xxx) via NAT. This is so that we can get back some of our /27 block for use by other customers who pay for us to host their virtual machines.
Quote:
Originally Posted by pingu
I haven't used kvm, only Xen, OpenVZ and VirtualBox, but I guess in kvm you use bridged networking.
I don't know anything about the host, does it have some kind of GUI - web or control panel of any kind - or is it only cli? What system is it running?
What you do is create a new nic for the guest and bridge it to hosts bridge if.
Then in iptables (running on host I assume? - dangerous, no real firewall then!) you forward from a public ip to the guests ip address.
If you need more info, please post the ip configuration of host ("ifconfig" or "ip addr") and answer the questions above.
The host is running CentOS 6.4, we own the machine, and have root access. We don't have access to the networking hardware: the ISP just gives us an Ethernet cable, and that's it. This is why I'm looking for an iptables-on-the-host solution, which I realize is suboptimal. But, again, these are testbed guest machines provided to our community free of charge.
I can see that you have created a bridge "br0:1" and assigned an ip. But eth1 also has an ip in same subnet, this is the interface you use for the bridge so it shall not have an ip.
Below is the configuration I believe should work for you. I can't test anything right now, so please be careful! There is a small risk I missed something.
The config files should look something like below: (yes I have a kvm host, had forgotten I set one up just before vacation. )
The physical interface to use for internal networks
Code:
DEVICE=em2 (=eth1 on your server)
ONBOOT=yes
BRIDGE=EXT1 (call it whatever you want)
HWADDR=d0:67:e5:f3:5b:70
NM_CONTROLLED=no
STP=no
Creating a virtual device, I want two separat internal networks (optionally)
Bridge LAN1 is created the same way, should you want a second internal network.
Then you change your guests so they use bridge EXT1 instead, can't give you cli commands for this right now unfortunately.
You also need to enable ip forwarding on the host, and then configure NAT / masquerading for all the ports.
For ip forwarding:
Code:
sysctl -w net.ipv4.ip_forward=1
or
echo 1 > /proc/sys/net/ipv4/ip_forward
To make it survive a reboot:
Edit /etc/sysctl.conf, add a line "net.ipv4.ip_forward = 1"
You might want to try this on a test server first, a small mistake in network configuration could result in loss of eth0 leaving your server unreachable.
There is also a package "bridge-utils" that eases the administration of bridges.
Main command to use is brctl
If it doesn't exist, "yum install bridge-utils" should install it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.