0

I am trying to setup a private network for VMs as prosed on libvirt networking handbook but the VMs are not able to connect to the internet and resolve domain names.

As following the handbook linked above, I have set up in the Host a so called "Custom NAT-based network":

  • Disabled libvirt's default network;
  • Created a dummy interface (named virbr10-dummy);
  • Created a virtual bridge (named virbr10 with the subnet 10.10.0.0/24);
  • Implemented NAT with iptables (please see full iptables rules file below);
  • Configured a system-wide instance of dnsmasq that ignores the virtual bridge;
  • Added a dnsmasq@virbr10 systemd script that gets called by NetworkManager's dispatcher script when the bridge is up.

The Host can ping the guest and vice-versa. The Host is part of a network with internet access (IP 192.168.0.15) and it is configured to be the gateway for this private LAN for the VMs (IP 10.10.0.1). A Guest with the IP 10.10.0.10 cannot resolve internet addresses (eg google.com) neither ping IPs on the internet directly (eg 216.58.222.46 for google.com).

Host

File /var/lib/dnsmasq/virbr10/dnsmasq.conf:

except-interface=lo
interface=virbr10
bind-dynamic
dhcp-range=10.10.0.2,10.10.0.254
dhcp-lease-max=1000
dhcp-leasefile=/var/lib/dnsmasq/virbr10/leases
dhcp-hostsfile=/var/lib/dnsmasq/virbr10/hostsfile
dhcp-no-override
strict-order

Results from systemctl status dnsmasq@virbr10.service:

● dnsmasq@virbr10.service - DHCP and DNS caching server for virbr10.
   Loaded: loaded (/etc/systemd/system/dnsmasq@.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2017-06-07 09:43:39 -03; 8h ago
 Main PID: 1209 (dnsmasq)
   CGroup: /system.slice/system-dnsmasq.slice/dnsmasq@virbr10.service
           └─1209 /usr/sbin/dnsmasq -k --conf-file=/var/lib/dnsmasq/virbr10/dnsmasq.conf

File /etc/sysconfig/iptables:

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o virbr10 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.0.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 10.10.0.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 10.10.0.0/24 ! -d 10.10.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.10.0.0/24 ! -d 10.10.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.10.0.0/24 ! -d 10.10.0.0/24 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 22 -j ACCEPT
-A INPUT -i virbr10 -p udp -m udp -m multiport --dports 53,67 -j ACCEPT
-A INPUT -i virbr10 -p tcp -m tcp -m multiport --dports 53,67 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.10.0.0/24 -o virbr10 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/24 -i virbr10 -j ACCEPT
-A FORWARD -i virbr10 -o virbr10 -j ACCEPT
-A FORWARD -i virbr10 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o virbr10 -j REJECT --reject-with icmp-port-unreachable
COMMIT

Guest

File cat /etc/resolv.conf:

# Generated by NetworkManager
nameserver 10.10.0.1
Rodriguez
  • 321
  • 1
  • 5

1 Answers1

0

iptables was dead and thus rules were not being executed:

$ systemctl restart iptables solved the problem.

Rodriguez
  • 321
  • 1
  • 5