[[wiki:experiences/igraltist/kvm#Network|Back to igraltist's experiences / KVM]]
====== Network ======
===== What you need =====
Here are listed some points, which maybe helpfull to use the kvm-qemu network.
In most cases the user running a host machine thats already connected to internet or he wish to do that.
From this stage this points are appears:
- create a bridge for guest network
- connect guest to the bridge when is booting
- route bridge on host machine to the internet network interface
==== 1. Create Bridge ====
Why you need a bridge to get a simple network working? \\
Read this short description about [[http://en.wikipedia.org/wiki/Network_bridge#Advantages_of_network_bridges|bridge]].
Now is time to create a bridge on you host machine. To keep it simple i use name which you will found on others descriptions too.
Bridge name is 'br0'.
As root user type on your terminal.
brctl addbr br0
Thats all.
==== 2. Connet guest to bridge ====
Start parameters on cmdline which have to use.
Your network setup for your guest can similar look like:
-net nic,vlan=0,macaddr=00:CC:AA:AA:00:00,model=virtio -net tap,vlan=0,ifname=rsbac,script=/etc/kvm/scripts/kvm-ifup
Info: The order of the '-net' section are free and can choose like you want.
The first '-net' switch with 'nic' in front the 'macaddr' and then network adapter with 'model'. \\
The 'macaddr' and 'model' are optiontal. If nothing set your guest get a mac address on boottime and it would use the default realtek network adapter 'rtl8130'. This driver need your guest or 'virtio' in the example above.
The second '-net' switch with 'tap' in front does now connect your guest on the bevor created bridge.
The argument 'ifname' is optional and set a name which show on:
brctl show
If is not set then is use name like 'tap0'. \\
In the example above the argument 'script' contain the filename, which connet the [[http://en.wikipedia.org/wiki/TUN/TAP|'tap']] device to the befor created 'br0'.
The content of the script '/etc/kvm/scripts/kvm-ifup'
#!/usr/bin/env python
import sys
import os
from subprocess import call
def add_iface_to_bridge():
try:
iface = sys.argv[1]
bridge = os.environ["bridge_%s" % iface]
cmd = ["brctl", "addif", bridge, iface]
call(cmd)
iface_up = ["ip", "link", "set", iface, "up"]
call(iface_up)
except KeyError, e:
print str(e)
add_iface_to_bridge()
==== 3. Route Bridge ====
Now the network part on host machine have to do.
If guest are up and running, than you can control if the guest network 'tap' device is connected to bridge.
brctl show
bridge name bridge id STP enabled interfaces
br0 8000.4ecd48a798ca no rsbac
If the command show something, then also the 'ifconfig' show the new create network adapter
ifconfig rsbac
rsbac Link encap:Ethernet HWaddr 4e:cd:48:a7:98:ca
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1725192 errors:0 dropped:0 overruns:0 frame:0
TX packets:2238846 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:429992873 (410.0 MiB) TX bytes:2193857946 (2.0 GiB)
A few line more and than the guest is conneted.\\
As root user the following commands have to insert in your terminal.
- echo 1 > /proc/sys/net/ipv4/ip_forward
- ifconfig br0 192.168.100.1 netmask 255.255.255.0 up
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
The first point enabled the [[http://en.wikipedia.org/wiki/Packet_forwarding|paket forwarding]] for ipv4 protocol.\\
The second point set an ip address. This ip address have to using in the guest as default gateway.\\
Assuming this ip address is different from your host machine. Your host machine maybe have ip address '192.168.1.2' and his default gateway ip address is '192.168.1.1' and connected to interface 'eth0.\\
And the last point do a [[http://en.wikipedia.org/wiki/Network_address_translation|network address translation]] assuming your default network adapter is 'eth0'.
=== Guest Network ===
On your guest set the ip address to the bridge network.\\
For example:
ifconfig eth0 192.168.100.2 netmask 255.255.255.0 up
and add a default gateway.
route add default gw 192.168.100.1
The last is to set a nameserver.\\
Open your editor on your terminal and add if your host machine nameserver as the same in your host machine.\\
When the host machine has nameserver '192.168.1.1' add this to '/etc/resolv.conf' in your guest too.
nameserver 192.168.1.1
Now you can try to ping for expamle:
ping rsbac.org
If your get a response than all basic setup is done.\\
Now your have to put all in some script for automatic configuration.\\
And see how your distribution setup bridges and network interface in general way.
===== Advance Setup =====
My setup include two bridges. One for the local guests and one for a dmz.
The dmz-bridge i have add in the system-configuration to build on startup.
For local-bridge i use a script, and this do rename the local networkdevice eth1 -> reth1
and create a bridge with name eth1 and add the interface reth1 to bridge eth1.
\\
* add to the file '/etc/conf.d/net' this lines (for dmz(bridge))
config_dmz=( "10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255" )
brctl_dmz=( "setfd 0" "sethello 0" "stp off" )
Change the IP to your ip-address. Than the kvm-guests in the dmz have in this example a ip in this range: 10.0.0.(1-254)
\\
Then i have a small script, this idea i find on a website but i dont rember from where, so thanks to unkown :).\\
All kvm stuff i have placed in the directory /etc/kvm.\\
So the next script for create the local-connectet bridge i have in '/etc/kvm/scirpts/bridge_starter'.
\\
For do this on bootup:
* add this line in '/etc/conf.d/local.start'
/etc/kvm/scripts/bridge_starter
This is the script bridge_starter.
#!/bin/bash
### bridge_starter
ip=$(which ip)
ifconfig=$(which ifconfig)
brctl=$(which brctl)
dev=eth1
dev_old=reth1
ip_dev='ip_address_from_the_local_net_device' # eg.192.168.0.1
$ip addr flush $dev
$ip link set $dev down
$ip link set $dev name $dev_old
$ip link set $dev_old up
$brctl addbr $dev
$brctl addif $dev $dev_old
$ip link set $dev up
$ifconfig $dev $ip_dev up
\\
**For firewall i use the [[http://shorewall.net|shorewall]] and i have do a nat for both bridges.**