Skip to content

Instantly share code, notes, and snippets.

@sboeuf

sboeuf/network_ch.md

Last active September 6, 2019 18:29
Show Gist options
  • Save sboeuf/57bf2c9743701a1c32615086c0791075 to your computer and use it in GitHub Desktop.
Save sboeuf/57bf2c9743701a1c32615086c0791075 to your computer and use it in GitHub Desktop.
Download ZIP
Network cloud-hypervisor
Raw
network_ch.md

In order to set the Internet connectivity for our cloud-hypervisor VMM, we need to manually setup a few things.

  1. Set guest's IP address
# ip addr add 192.168.249.2/24 dev enp0s3
  1. Set default route
# ip route add default via 192.168.249.1

The point of the default route is to ensure that any packet (because it's aiming at a specific destination IP) will be redirected to the gateway pointed by this route.

  1. Check the routes on the host

On the host, you should have one interface (enp0s1 for instance) that faces Internet with an IP address, and one dedicated TAP interface vmtap0 that is set with the IP 192.168.249.1. If that's not the case, make sure your TAP interface is set with this IP. We also need to check the routes, as we need the packets to find their way to enp0s1, and on the way back from enp0s1 to the VM at 192.168.249.2. Here is what the route table should look like on the host:

# ip route
default via 10.7.199.251 dev enp0s1 proto dhcp metric 20100
10.7.199.0/24 dev enp0s31f6 proto kernel scope link src 10.7.199.52 metric 100
192.168.249.0/24 dev vmtap0 proto kernel scope link src 192.168.249.1
  1. Set IP tables rules

Having the VM sending some packet out is easy but the answer needs to reach the host. If the packets are tagged as coming from 192.168.249.2, the receiver of those packets won't be able to reply as it won't have any 192.168.249.0/24 subnet as part of its network, and the IP won't be registered publicly as it's considered as local IP. The proper way to let the receiver send those packets back to where they came from is to tag them as coming from the interface enp0s1 identified with the IP 10.7.199.52. And the way is to apply some post-routing iptables rules to the packets. Here is what needs to be done:

# iptables-save > ip_tables
# echo "-A POSTROUTING -s 192.168.249.0/24 -o enp0s1 -j MASQUERADE" >> ip_tables
# iptables-restore < ip_tables
  1. Fix DNS nameserver address (optional)

Depending if the host machine is sitting on a specific network like an enterprise network, 8.8.8.8 might not be a valid DNS address. In this case, we can edit /etc/resolv.conf in the guest to replace it with the appropriate address (10.1.2.3 for instance). The appropriate address can be found on the host, either looking at /etc/resolv.conf or doing a nslookup github.com.

  1. Set the proxy (optional)

Again, if the host machine is sitting on a specific network that requires proxy, the proxy configuration can be exported in order to let the guest reach the Internet. Same proxy as the one found on the host should apply.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment