利用NAT使qemu上网

时间：2007-02-22 来源：mishuang

在前几篇文章中我介绍了如果利用TUN/TAP使qemu上网，在以前的基础上我再讲一下如果结合NAT使qemu上网。在讲之前先介绍一下TUN/TAP。 TUN/TAP都是虚拟网络的内核驱动。他们完全以软件的方式实现了网络设备。TAP实现了以太网设备，它以软件的方式模拟了以太网的帧。TUN模拟了IP包，也就是说TAP工作在第二层，TUN工作在第三层。我们在/etc/qeum-ifup中创建了br0，tap0等网络设备，利用内核模块加载了tun设备，然后使真正的网络接口设备eth0和软件模拟的网络接口设备tap0都工作在混杂模式，并且eth0和tap0都连接在网桥br0上，这当然也是通过软件模拟实现的。如果大家想起了网桥的作用的话，那一切都豁然开朗了。以前的几篇文章都是假设当前网络环境有dhcp服务器或者说有充足的IP地址，如果不具备这样的环境，通过NAT地址转换功能将祢补这样的不足。并且在虚拟机中我们可以通过主机真实的IP地址来访问，而不是通过内网网关地址，这样也解决了qemu在tap模式下虚拟机和主机不能直接通讯的问题。

第一步：创建系统启动脚本/etc/init.d/nat #!/bin/bash IPTABLES='/usr/sbin/iptables' EXTERNAL='eth0' EXTERNIP='10.13.21.184' # INTERNAL='eth0' INTERNAL='br0' INTERNIP='192.168.3.0/24' ifconfig eth0:0 192.168.3.254

start(){
 $IPTABLES -P INPUT ACCEPT
 $IPTABLES -P OUTPUT ACCEPT
 $IPTABLES -P FORWARD ACCEPT

# reset the nat talbe
 $IPTABLES -t nat -P PREROUTING ACCEPT
 $IPTABLES -t nat -P POSTROUTING ACCEPT
 $IPTABLES -t nat -P OUTPUT ACCEPT

# flush the ipchains and nat table
 $IPTABLES -F
 $IPTABLES -F -t nat

# delete non-default rules of ipchains and nat table
 # only the flushed user-defined chains can be deleted
 $IPTABLES -X
 $IPTABLES -t nat -X

# reset zero
 # $IPTABLES -Z -t nat
 $IPTABLES -Z
 $IPTABLES -t nat -Z

# 在这里添加自己的规则
 $IPTABLES -N priv
 # $IPTABLES -A priv -s 219.224.167.181 -j DROP

# reset the three default ipchains
 $IPTABLES -A INPUT -j priv
 $IPTABLES -A OUTPUT -j priv
 $IPTABLES -A FORWARD -j priv

#load necessary modules
 echo "Starting modprobe necessary modules for iptables"
 modprobe kqemu 2 &> /dev/null
 modprobe ip_tables 2 &> /dev/null
 # modprobe ip_nat_ftp 2&> /dev/null
 # modprobe ip_nat_irc 2&> /dev/null
 # modprobe ip_conntrack 2&> /dev/null
 # modprobe ip_conntrack_ftp 2&> /dev/null
 # modprobe ip_conntrack_irc 2&> /dev/null

# enable ICMP packet (ping) 默认是打开的
 # $IPTABLES -A INPUT -p all -j ACCEPT
 # $IPTABLES -A INPUT -p udp -j DROP
 # $IPTABLES -A INPUT -p tcp -j DROP
 # $IPTABLES -A INPUT -p icmp -j DROP

# enable communication inside local domain
 $IPTABLES -A INPUT -i $INTERNAL -s $INTERNIP -j ACCEPT
 $IPTABLES -A OUTPUT -o $INTERNAL -d $INTERNIP -j ACCEPT

# enable ip masquerade
 echo "1" >/proc/sys/net/ipv4/ip_forward
 # 出网后路由处理
 $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNIP -j MASQUERADE
 # $IPTABLES -t nat -A POSTROUTING -s $IPDOMAIN -j SNAT --to $OUTIP
 # 入网预路由处理
 # $IPTABLES -t nat -A PREROUTING -d $EXTERNIP -p tcp --dport 21 -j DNAT --to $FTPIP
 # $IPTABLES -t nat -A PREROUTING -d $EXTERNIP -p tcp --dport 79 -j DNAT --to $WEBIP
}

stop(){
 echo "Stopping firewall"
 $IPTABLES -P INPUT DROP
 $IPTABLES -P OUTPUT DROP
 $IPTABLES -P FORWARD DROP
 echo "0" >/proc/sys/net/ipv4/ip_forward
}

restart(){
 stop
 start
}

# see how we were called
case $1 in
start)
 start
 ;;
stop)
 stop
 ;;
restart)
 restart
 ;;
*)
 echo $"Usage:$0 { start | stop | restart }"
 exit 1
esac

第二步：设置系统启动脚本，启动NAT功能
# chkconfig nat on
# /etc/init.d/nat start 第三步：修改/etc/qemu-ifup #!/bin/bash ################################# # Set up Ethernet bridge on Linux # Requires: bridge-utils ################################# # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged, # for example tap="tap0 tap1 tap2". # tap="tap0" tap=$1 # Define physical ethernet interface to be bridged # with TAP interface(s) above. eth="eth0" # eth_ip="10.13.21.194" eth_ip="192.168.3.1" eth_netmask="255.255.255.0" # eth_broadcast="10.13.21.255" eth_broadcast="192.168.3.255" for t in $tap; do openvpn --mktun --dev $t done brctl addbr $br brctl addif $br $eth for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done # ifconfig $eth 0.0.0.0 promisc up ifconfig $eth promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast 第四步：启动qemu，设置虚拟机IP地址 # qemu -hda win.img -net nic,macaddr=52:54:00:12:34:58 -net tap,ifname=tap0 -localtime -m 384 虚拟机的IP可以依据下面的例子设置: IP: 192.168.3.15 netmask: 255.255.255.0 broadcast: 192.168.3.255 gateway: 192.168.3.254 qemu启动后网络接口应该是这个样子： # ifconfig -a br0 Link encap:Ethernet HWaddr 00:18:8B:12:A1:39 inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0 inet6 addr: fe80::218:8bff:fe12:a139/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11553 errors:0 dropped:0 overruns:0 frame:0 TX packets:225 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1554222 (1.4 Mb) TX bytes:80534 (78.6 Kb) eth0 Link encap:Ethernet HWaddr 00:18:8B:12:A1:39 inet addr:10.13.21.184 Bcast:10.13.21.255 Mask:255.255.255.0 inet6 addr: fe80::218:8bff:fe12:a139/64 Scope:Link UP BROADCAST NOTRAILERS RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:138665 errors:0 dropped:0 overruns:0 frame:0 TX packets:50420 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:43375074 (41.3 Mb) TX bytes:8077729 (7.7 Mb) Base address:0xdf40 Memory:feae0000-feb00000 eth0:0 Link encap:Ethernet HWaddr 00:18:8B:12:A1:39 inet addr:192.168.3.254 Bcast:192.168.3.255 Mask:255.255.255.0 UP BROADCAST NOTRAILERS RUNNING PROMISC MULTICAST MTU:1500 Metric:1 Base address:0xdf40 Memory:feae0000-feb00000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1397 errors:0 dropped:0 overruns:0 frame:0 TX packets:1397 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:117840 (115.0 Kb) TX bytes:117840 (115.0 Kb) sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) tap0 Link encap:Ethernet HWaddr 96:52:28:D5:E7:69 inet6 addr: fe80::9452:28ff:fed5:e769/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:255 errors:0 dropped:0 overruns:0 frame:0 TX packets:5492 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:39194 (38.2 Kb) TX bytes:586142 (572.4 Kb) 参考资料： http://en.wikipedia.org/w/index.php?title=TUN/TAP&oldid=105149995 http://blog.chinaunix.net/u/23177/showart_159449.html