QEMU/KVM网络模式(二)——NAT

在QEMU/KVM中，默认使用IP伪装的方式去实现NAT，而不是用SNAT或DNAT的方式。

1、安装软件包

# yum -y install bridge-utils iptables dnsmasq
# rpm -qa | egrep "bridge-utils|iptables|dnsmasq

2、创建qemu-ifup-nat脚本，主要功能是：建立bridge,设置brdige的内网IP,并且将客户机的网络接口与其绑定，然后打开系统中网络IP包转发的功能，设置iptables的NAT规则，最后启动dnsmasq作为一个简单的DHCP服务器。

#!/bin/bash
# qemu-ifup-nat script for QEMU/KVM with NAT netowrk mode

# set your bridge name
BRIDGE=virbr0
# Network information
NETWORK=192.168.122.0
NETMASK=255.255.255.0
# GATEWAY for internal guests is the bridge in host
GATEWAY=192.168.122.1
DHCPRANGE=192.168.122.2,192.168.122.254

# Optionally parameters to enable PXE support
TFTPROOT=
BOOTP=

function check_bridge() 
{
    if brctl show | grep "^$BRIDGE" &> /dev/null; then
        return 1
    else
        return 0
    fi
}

function create_bridge() 
{
        brctl addbr "$BRIDGE"
        brctl stp "$BRIDGE" on
        brctl setfd "$BRIDGE" 0
        ifconfig "$BRIDGE" "$GATEWAY" netmask "$NETMASK" up
}

function enable_ip_forward() 
{
    echo 1 > /proc/sys/net/ipv4/ip_forward
}

function add_filter_rules() 
{
    iptables -t nat -A POSTROUTING -s "$NETWORK"/"$NETMASK" \
        ! -d "$NETWORK"/"$NETMASK" -j MASQUERADE
}

function start_dnsmasq() 
{
    # don't run dnsmasq repeatedly
    ps -ef | grep "dnsmasq" | grep -v "grep" &> /dev/null
    if [ $? -eq 0 ]; then
        echo "Warning:dnsmasq is already running. No need to run it again."
        return 1
    fi

    dnsmasq \
        --strict-order \
        --except-interface=lo \
        --interface=$BRIDGE \
        --listen-address=$GATEWAY \
        --bind-interfaces \
        --dhcp-range=$DHCPRANGE \
        --conf-file="" \
        --pid-file=/var/run/qemu-dnsmasq-$BRIDGE.pid \
        --dhcp-leasefile=/var/run/qemu-dnsmasq-$BRIDGE.leases \
        --dhcp-no-override \
        ${TFTPROOT:+"--enable-tftp"} \
        ${TFTPROOT:+"--tftp-root=$TFTPROOT"} \
        ${BOOTP:+"--dhcp-boot=$BOOTP"}
}

function setup_bridge_nat()
{
    check_bridge "$BRIDGE"
    if [ $? -eq 0 ]; then
        create_bridge
    fi
    enable_ip_forward
    add_filter_rules "$BRIDGE"
    start_dnsmasq "$BRIDGE"
}

# need to check $1 arg before setup
if [ -n "$1" ]; then
    setup_bridge_nat
    ifconfig "$1" 0.0.0.0 up
    brctl addif "$BRIDGE" "$1"
    exit 0
else
    echo "Error: no interface specified."
    exit 1
fi

3、创建qemu-ifdown-nat脚本，关闭客户机时调用该脚本，主要完成解除bridge绑定，删除bridge和清空iptables的NAT规则。

#!/bin/bash
# qemu-ifdown-nat script for QEMU/KVM with NAT network mode

# set your bridge name
BRIDGE="virbr0"

if [ -n "$1" ]; then
    echo "Tearing down network bridge for $1" > /tmp/temp-nat.log
    ip link set $1 down
    brctl delif "$BRIDGE" $1
    ip link set "$BRIDGE" down
    brctl delbr "$BRIDGE"
    iptables -t nat -F
    exit 0
else
    echo "Error: no interface specified"  > /tmp/temp-nat.log
    exit 1
fi

4、启动虚拟机

# qemu-kvm /root/centos6.img \
    -m 1024 \
    -smp 2 \
    -net nic \
    -net tap,script=/etc/qemu-ifup-nat,downscript=/etc/qemu-ifdown-nat

5、查看iptables和绑定情况

# brctl show

# iptables -t nat -vnL

注意区别这两个bridger的不同：

br0是前面提到的网桥模式使用的，它与一个物理上网络接口eth0绑定；

而virbr0是NAT方式的brdige,它没有绑定任何物理网络接口，只是绑定了tap0这个客户机使用的虚拟网络接口。

添加iptables规则进行端口映射，让外网主机也能访问客户机

# iptables -t nat -A PREROUTING -p tcp -d 192.168.100.10 --dport 80 -j DNAT --to 192.168.122.28:80

QEMU/KVM网络模式(二)——NAT

猜你喜欢