Libvirtd default network like NAT for Kloudust VMs and hosts - TekMonksGitHub/kloudust GitHub Wiki

Guide: Setting Up a NAT-ed Bridge for VM Networking Using libvirtd-Like Configuration

This guide explains how to create a NAT-ed bridge for virtual machines (VMs) using a Linux bridge and nftables for NAT and forwarding. It mimics the behavior of libvirtd host NAT.

---

Step 1: Create a Linux Bridge for the VMs

Create a bridge interface named vdhcptest_br:

ip link add vdhcptest_br type bridge

---

Step 2: Assign an IP Address to the Bridge

Assign a static IP address to the bridge:

ip addr add 192.168.1.1/24 dev vdhcptest_br

---

Step 3: Create a veth Pair

Create a veth pair and attach one end to the VM and the other to the bridge:

ip link add ethdhcptest_a type veth peer name ethdhcptest_b
ip link set ethdhcptest_b master vdhcptest_br

Attach ethdhcptest_a to your VM (e.g., by using virsh, qemu, or by moving it to the VM’s network namespace).

---

Step 4: Bring Up Interfaces

Bring up the bridge and the bridge-connected interface:

ip link set up vdhcptest_br
ip link set up ethdhcptest_b

---

Step 5: Set Up DHCP for the Bridge

Use dnsmasq to provide DHCP on the bridge interface:

dnsmasq --dhcp-range=192.168.1.10,192.168.1.100,12h \
        --interface=vdhcptest_br \
        --bind-interfaces \
        --except-interface=lo \
        --resolv-file=/etc/resolv.conf

---

Step 6: Configure NAT and Forwarding Using nftables

Create an nftables script (e.g., kdnat.conf) with the following content:

#!/usr/sbin/nft -f

table ip kdnat {
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    ip saddr 192.168.1.0/24 oifname "eno2" masquerade
  }
}

table ip kdfilter {
  chain forward {
    type filter hook forward priority 0; policy accept;

    # Allow established and related connections back in
    ct state established,related accept

    # Allow traffic from bridge to external interface
    iifname "vdhcptest_br" oifname "eno2" accept

    # Optionally allow external traffic to bridge (usually not needed)
    # iifname "eno2" oifname "vdhcptest_br" accept
  }
}

Load it using:

sudo nft -f kdnat.conf

---

Step 7: Obtain IP Address on the VM

Inside the VM, ensure the interface is up and use dhclient to request an IP:

dhclient eth0  # replace eth0 with the interface name inside the VM

---

Step 8: Test Connectivity

Inside the VM, test internet connectivity by pinging a public IP address, for example:

ping 8.8.8.8

---

This completes the NAT-ed bridge setup for your VMs!