抽空学学KVM(八):虚拟机的网络---NAT模式

之前创建网络的过程中,采用的网络类型为default,即NAT模式,但是在实际生产中,一台宿主机上远不止一台虚拟机,如果虚机都用相同的IP地址提供服务,则对于网络监管控制来说是非常不合理的。而且虚机通常代表不同的业务,但在NAT模式下,如果想被访问,需要通过端口映射来实现 ,增加了运维难度,今天就学习一下KVM中的虚机网络。

[root@KVM03-10 ~]# virt-install --virt-type kvm --os-type rhel7 --name centos7 --memory 1024 --vcpu 1 --disk /opt/centos2.raw,format=raw,size=10 --cdrom /opt/CentOS-7.3-x86_64-DVD-1611.iso --network network=default --graphics vnc,listen=0.0.0.0 --noautoconsole

其实,对于虚机网络的学习可以参照vmware workstation的网络对比学习,也可以看看这个博客,https://blog.csdn.net/dif90304/article/details/101758657?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.pc_relevant_is_cache&depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.pc_relevant_is_cache

复制代码
[root@KVM03-10 ~]# ifconfig
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.15  netmask 255.255.255.0  broadcast 10.0.0.255          #宿主机对外的IP地址
        inet6 fe80::20c:29ff:fe87:38bc  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:87:38:bc  txqueuelen 1000  (Ethernet)
        RX packets 135  bytes 16015 (15.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 141  bytes 23156 (22.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255       #虚机网关地址,也是通过virbr0对连接的
        ether 52:54:00:87:f8:b7  txqueuelen 1000  (Ethernet)
        RX packets 42  bytes 3420 (3.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 30  bytes 3819 (3.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
复制代码
复制代码
[root@localhost ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000     #虚机IP地址
    link/ether 52:54:00:db:81:f8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.63/24 brd 192.168.122.255 scope global dynamic eth0
       valid_lft 3446sec preferred_lft 3446sec
    inet6 fe80::8f21:2559:c0e5:2b4c/64 scope link
       valid_lft forever preferred_lft forever
[root@localhost ~]#
复制代码

一、NAT是如何实现的??

在虚机上ping www.baidu.com 分别在宿主机的birbr0网卡和ens32网卡上抓包对比

[root@KVM03-10 ~]# tcpdump -i virbr0 icmp -nnvvv
tcpdump: listening on virbr0, link-type EN10MB (Ethernet), capture size 262144 bytes                    #通过监听virbr0发现,有对应的ICMP请求报文
22:54:19.520912 IP (tos 0x0, ttl 64, id 8412, offset 0, flags [DF], proto ICMP (1), length 84)      #源地址为虚机真实IP地址192.168.122.63,目的为百度地址
    192.168.122.63 > 39.156.66.14: ICMP echo request, id 842, seq 18, length 64
22:54:19.600876 IP (tos 0x0, ttl 127, id 65337, offset 0, flags [none], proto ICMP (1), length 84)
    39.156.66.14 > 192.168.122.63: ICMP echo reply, id 842, seq 18, length 64
[root@KVM03-10 ~]# tcpdump -i ens32 icmp -nnvvv
tcpdump: listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes              #监听宿主机的网卡
22:56:38.935585 IP (tos 0x0, ttl 63, id 10640, offset 0, flags [DF], proto ICMP (1), length 84)        #ICMP的源地址为10.0.0.15,说明ICMP请求报文在virbr0上进行了NAT转化
    10.0.0.15 > 39.156.66.14: ICMP echo request, id 842, seq 157, length 64
22:56:38.976407 IP (tos 0x0, ttl 128, id 65485, offset 0, flags [none], proto ICMP (1), length 84)
    39.156.66.14 > 10.0.0.15: ICMP echo reply, id 842, seq 157, length 64

查看宿主机的IPtables发现,只要是源地址为192.168.122.0/24网段,地址非该网段的任何协议报文,都将被隐藏,即会进行NAT;MASQUERADE:伪装。这里有插入一个博客https://blog.csdn.net/jk110333/article/details/8229828

复制代码
[root@KVM03-10 ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
RETURN     all  --  192.168.122.0/24     224.0.0.0/24
RETURN     all  --  192.168.122.0/24     255.255.255.255
MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24
[root@KVM03-10 ~]#
复制代码

这个功能是内核实现,实际下发该配置的为libvirt,如果通过命令强制删除规则,[root@KVM03-10 ~]# iptables -t nat -F,虚机的网络将受到影响,无法上线,但是可以通过重启libvirt服务恢复,也可以通过手痛添加对应规则实现。

iptables-t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNAT

除了IPtable的帮助外,还有内核参数的参与

复制代码
[root@KVM03-10 ~]# sysctl -a |  grep ipv4 | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.ens32.forwarding = 1
net.ipv4.conf.ens32.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.virbr0.forwarding = 1
net.ipv4.conf.virbr0.mc_forwarding = 0
net.ipv4.conf.virbr0-nic.forwarding = 1
net.ipv4.conf.virbr0-nic.mc_forwarding = 0
net.ipv4.conf.vnet0.forwarding = 1
net.ipv4.conf.vnet0.mc_forwarding = 0
net.ipv4.ip_forward = 1        #“1”代表开启了内核转发参数,如果将其修改为0,虚机的网络同样受影响
net.ipv4.ip_forward_use_pmtu = 0
[root@KVM03-10 ~]
[root@KVM03-10 ~]# sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
复制代码

 

 应该还是由KVM的一些服务搞出来的,太难的就搞不懂了,以后慢慢学

 

posted @   woshinidaye  阅读(431)  评论(0编辑  收藏  举报
编辑推荐:
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
阅读排行:
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· Manus爆火,是硬核还是营销?
· 终于写完轮子一部分:tcp代理 了,记录一下
· Qt个人项目总结 —— MySQL数据库查询与断言
点击右上角即可分享
微信分享提示