抽空學學KVM(八):虛擬機器的網路---NAT模式
之前建立網路的過程中,採用的網路型別為default,即NAT模式,但是在實際生產中,一臺宿主機上遠不止一臺虛擬機器,如果虛機都用相同的IP地址提供服務,則對於網路監管控制來說是非常不合理的。而且虛機通常代表不同的業務,但在NAT模式下,如果想被訪問,需要通過埠對映來實現 ,增加了運維難度,今天就學習一下KVM中的虛機網路。
[root@KVM03-10 ~]# virt-install --virt-type kvm --os-type rhel7 --name centos7 --memory 1024 --vcpu 1 --disk /opt/centos2.raw,format=raw,size=10 --cdrom /opt/CentOS-7.3-x86_64-DVD-1611.iso --network network=default
其實,對於虛機網路的學習可以參照vmware workstation的網路對比學習,也可以看看這個部落格,https://blog.csdn.net/dif90304/article/details/101758657?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.pc_relevant_is_cache&depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.pc_relevant_is_cache
[root@KVM03-10 ~]# ifconfig ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.0.15 netmask 255.255.255.0 broadcast 10.0.0.255 #宿主機對外的IP地址 inet6 fe80::20c:29ff:fe87:38bc prefixlen 64 scopeid 0x20<link> ether 00:0c:29:87:38:bc txqueuelen 1000 (Ethernet) RX packets135 bytes 16015 (15.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 141 bytes 23156 (22.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255 #虛機閘道器地址,也是通過virbr0對連線的 ether 52:54:00:87:f8:b7 txqueuelen 1000 (Ethernet) RX packets 42 bytes 3420 (3.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 30 bytes 3819 (3.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 #虛機IP地址 link/ether 52:54:00:db:81:f8 brd ff:ff:ff:ff:ff:ff inet 192.168.122.63/24 brd 192.168.122.255 scope global dynamic eth0 valid_lft 3446sec preferred_lft 3446sec inet6 fe80::8f21:2559:c0e5:2b4c/64 scope link valid_lft forever preferred_lft forever [root@localhost ~]#
一、NAT是如何實現的??
在虛機上ping www.baidu.com 分別在宿主機的birbr0網絡卡和ens32網絡卡上抓包對比
[root@KVM03-10 ~]# tcpdump -i virbr0 icmp -nnvvv tcpdump: listening on virbr0, link-type EN10MB (Ethernet), capture size 262144 bytes #通過監聽virbr0發現,有對應的ICMP請求報文 22:54:19.520912 IP (tos 0x0, ttl 64, id 8412, offset 0, flags [DF], proto ICMP (1), length 84) #源地址為虛機真實IP地址192.168.122.63,目的為百度地址 192.168.122.63 > 39.156.66.14: ICMP echo request, id 842, seq 18, length 64 22:54:19.600876 IP (tos 0x0, ttl 127, id 65337, offset 0, flags [none], proto ICMP (1), length 84) 39.156.66.14 > 192.168.122.63: ICMP echo reply, id 842, seq 18, length 64
[root@KVM03-10 ~]# tcpdump -i ens32 icmp -nnvvv tcpdump: listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes #監聽宿主機的網絡卡 22:56:38.935585 IP (tos 0x0, ttl 63, id 10640, offset 0, flags [DF], proto ICMP (1), length 84) #ICMP的源地址為10.0.0.15,說明ICMP請求報文在virbr0上進行了NAT轉化 10.0.0.15 > 39.156.66.14: ICMP echo request, id 842, seq 157, length 64 22:56:38.976407 IP (tos 0x0, ttl 128, id 65485, offset 0, flags [none], proto ICMP (1), length 84) 39.156.66.14 > 10.0.0.15: ICMP echo reply, id 842, seq 157, length 64
檢視宿主機的IPtables發現,只要是源地址為192.168.122.0/24網段,地址非該網段的任何協議報文,都將被隱藏,即會進行NAT;MASQUERADE:偽裝。這裡有插入一個部落格https://blog.csdn.net/jk110333/article/details/8229828
[root@KVM03-10 ~]# iptables -nL -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination RETURN all -- 192.168.122.0/24 224.0.0.0/24 RETURN all -- 192.168.122.0/24 255.255.255.255 MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24 [root@KVM03-10 ~]#
這個功能是核心實現,實際下發該配置的為libvirt,如果通過命令強制刪除規則,[root@KVM03-10 ~]# iptables -t nat -F,虛機的網路將受到影響,無法上線,但是可以通過重啟libvirt服務恢復,也可以通過手痛新增對應規則實現。
iptables-t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNAT
除了IPtable的幫助外,還有核心引數的參與
[root@KVM03-10 ~]# sysctl -a | grep ipv4 | grep forward net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.ens32.forwarding = 1 net.ipv4.conf.ens32.mc_forwarding = 0 net.ipv4.conf.lo.forwarding = 1 net.ipv4.conf.lo.mc_forwarding = 0 net.ipv4.conf.virbr0.forwarding = 1 net.ipv4.conf.virbr0.mc_forwarding = 0 net.ipv4.conf.virbr0-nic.forwarding = 1 net.ipv4.conf.virbr0-nic.mc_forwarding = 0 net.ipv4.conf.vnet0.forwarding = 1 net.ipv4.conf.vnet0.mc_forwarding = 0 net.ipv4.ip_forward = 1 #“1”代表開啟了核心轉發引數,如果將其修改為0,虛機的網路同樣受影響 net.ipv4.ip_forward_use_pmtu = 0 [root@KVM03-10 ~]
[root@KVM03-10 ~]# sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
應該還是由KVM的一些服務搞出來的,太難的就搞不懂了,以後慢慢學