Friday, March 30, 2012

KVM + network bridging

Recently I discovered the joy of having a CPU with VT extensions and using KVM thru libvirt. One of the not-soy-joyful things is that libvirt does not support creating a bridged environment for you (much as VMWare/VirtualBox do). After migrating my windows vbox VM to KVM I started hating NAT networking (my KVM host is behind an iptables gateway, so I had to choose between two iptables on my network, or tunneling via SSH. Of course I chose the later).

So after some digging I finally configured my KVM environment using network bridging. Here are the simple steps.

NOTE: libvirt creates a virbr0 bridge for you, under which all vnet* ifaces will reside if using NAT. Under no circumstances should you add eth0 to this bridge. Doing so will leave you with no network connection.

  1. Create a new bridge:
    # brctl addbr br0
  2. Add your physical interface to the bridge (eth0 in this example):
    # brctl addif br0 eth0
  3. Create initscript:
    # ln -s /etc/init.d/net.lo /etc/init.d/net.br0
  4. Modify /etc/conf.d/net accordingly (sample extract below):
  5. Correct rc:
    # rc-update del eth0 [runlevel]
    # rc-update add br0 boot
  6. Either reboot or:
    # /etc/init.d/net.eth0 stop
    # /etc/init.d/net.br0 start

You could perform step 6 concatenated inside a screen so if everything works correctly, your network will come back up normally.

As a last step, inside your KVM VMs, go to networking and choose "Specify shared device name" under "Source device" and enter "br0" in the text box.

It may take your VMs a couple of reboots to load successfully with the new IP (you'll note the VM was loaded fine because the IP of its network card will be one in the range of your network, not in a NAT range).

Thursday, March 8, 2012

Using vpnc with iptables

Another quick one after all this time.

If you use a vpn like vpnc (Cisco VPN) and also iptables on a gateway server, and you are having trouble and/or would like to make the vpn available to your private network, don't forget to include this on your iptables script:

(replace "tun0" with however your tunnel device is named)

iptables -A FORWARD -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE