KVM / QEMUネットワーク「デフォルト」NATの設定 - ゲストはホストまたはインターネットに接続できません。

KVM / QEMUネットワーク「デフォルト」NATの設定 - ゲストはホストまたはインターネットに接続できません。

Arch Linux では、VM が仮想ネットワークを使用すると、ゲスト VM は接続されなくなります。この問題は、システム構成やKVM / QEMU構成の変更なしで機能したため、ほとんど突然現れました。

明確に申し上げると、私はゲストとのコミュニケーションもできません。ホストとゲストの間で通信できません。

似たような投稿を見つけましたが、それらのどれも私が経験していた問題を解決できませんでした。

virsh net-dumpxml デフォルト

<network>
  <name>default</name>
  <uuid>redacted</uuid>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:aa:32:1d'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
    </dhcp>
  </ip>
</network>

virshネットワークリスト - すべて


 Name      State    Autostart   Persistent
--------------------------------------------
 default   active   yes         yes

マンジャロゲスト内部:

IPワン

1:  lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
      valid_lft forever preferred_lft forever

2: enp1s0: <BROAD_CAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:e5:a3:92 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fa0d:bd72:fdba:57c2/64 scope link noprefixroute
      valid_lft forever preferred_lft forever

ホストに戻る:

Journalctl -b -u libvirtd.service --no-pager

注:ホスト名を削除しました。

Apr 18 05:32:37 hostname systemd[1]: Starting Virtualization daemon...
Apr 18 05:32:37 hostname systemd[1]: Started Virtualization daemon.
Apr 18 05:32:38 hostname dnsmasq[726]: started, version 2.89 cachesize 150
Apr 18 05:32:38 hostname dnsmasq[726]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfile
Apr 18 05:32:38 hostname dnsmasq-dhcp[726]: DHCP, IP range 192.168.122.2 -- 192.168.122.254, lease time 1h
Apr 18 05:32:38 hostname dnsmasq-dhcp[726]: DHCP, sockets bound exclusively to interface virbr0
Apr 18 05:32:38 hostname dnsmasq[726]: reading /etc/resolv.conf
Apr 18 05:32:38 hostname dnsmasq[726]: using nameserver 68.105.28.11#53
Apr 18 05:32:38 hostname dnsmasq[726]: using nameserver 68.105.29.11#53
Apr 18 05:32:38 hostname dnsmasq[726]: using nameserver 68.105.28.12#53
Apr 18 05:32:38 hostname dnsmasq[726]: read /etc/hosts - 0 names
Apr 18 05:32:38 hostname dnsmasq[726]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 names
Apr 18 05:32:38 hostname dnsmasq-dhcp[726]: read /var/lib/libvirt/dnsmasq/default.hostsfile
Apr 18 05:32:41 hostname dnsmasq[726]: reading /etc/resolv.conf
Apr 18 05:32:41 hostname dnsmasq[726]: using nameserver 68.105.28.11#53
Apr 18 05:32:41 hostname dnsmasq[726]: using nameserver 68.105.29.11#53
Apr 18 05:32:41 hostname dnsmasq[726]: using nameserver 68.105.28.12#53
Apr 18 05:32:43 hostname dnsmasq[726]: reading /etc/resolv.conf
Apr 18 05:32:43 hostname dnsmasq[726]: using nameserver 100.100.100.100#53
Apr 18 05:32:43 hostname dnsmasq[726]: reading /etc/resolv.conf
Apr 18 05:32:43 hostname dnsmasq[726]: using nameserver 100.100.100.100#53
Apr 18 09:33:08 hostname dnsmasq[726]: reading /etc/resolv.conf
Apr 18 09:33:08 hostname dnsmasq[726]: using nameserver 100.100.100.100#53
Apr 18 09:34:37 hostname systemd[1]: libvirtd.service: Deactivated successfully.
Apr 18 09:34:37 hostname systemd[1]: libvirtd.service: Unit process 726 (dnsmasq) remains running after unit stopped.
Apr 18 09:34:37 hostname systemd[1]: libvirtd.service: Unit process 727 (dnsmasq) remains running after unit stopped.
Apr 18 18:35:25 hostname systemd[1]: libvirtd.service: Found left-over process 726 (dnsmasq) in control group while starting unit. Ignoring.
Apr 18 18:35:25 hostname systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Apr 18 18:35:25 hostname systemd[1]: libvirtd.service: Found left-over process 727 (dnsmasq) in control group while starting unit. Ignoring.
Apr 18 18:35:25 hostname systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Apr 18 18:35:25 hostname systemd[1]: Starting Virtualization daemon...
Apr 18 18:35:25 hostname systemd[1]: Started Virtualization daemon.
Apr 18 18:35:26 hostname dnsmasq[726]: read /etc/hosts - 0 names
Apr 18 18:35:26 hostname dnsmasq[726]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 names
Apr 18 18:35:26 hostname dnsmasq-dhcp[726]: read /var/lib/libvirt/dnsmasq/default.hostsfile

IPワン

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 04:42:1a:f0:5e:22 brd ff:ff:ff:ff:ff:ff
    inet 192.168.68.116/24 brd 192.168.68.255 scope global dynamic noprefixroute enp7s0
       valid_lft 6595sec preferred_lft 6595sec
    inet6 fe80::4da9:ee46:ca10:5ccf/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: wlp6s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether fe:32:0e:58:03:f0 brd ff:ff:ff:ff:ff:ff permaddr 1c:99:57:a4:c3:b5
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:aa:32:1d brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
5: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 100.92.168.67/32 scope global tailscale0
       valid_lft forever preferred_lft forever
    inet6 fd7a:115c:a1e0:ab12:4843:cd96:625c:a843/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::1e59:5071:1cf9:298f/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:46:7a:60:f7 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever

iptables - 保存

# Generated by iptables-save v1.8.9 (nf_tables) on Wed Apr 19 08:15:48 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Apr 19 08:15:48 2023
# Generated by iptables-save v1.8.9 (nf_tables) on Wed Apr 19 08:15:48 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:ts-forward - [0:0]
:ts-input - [0:0]
-A INPUT -j ts-input
-A INPUT -j LIBVIRT_INP
-A FORWARD -j ts-forward
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xff0000
-A ts-forward -m mark --mark 0x40000/0xff0000 -j ACCEPT
-A ts-forward -s 100.64.0.0/10 -o tailscale0 -j DROP
-A ts-forward -o tailscale0 -j ACCEPT
-A ts-input -s 100.92.168.67/32 -i lo -j ACCEPT
-A ts-input -s 100.115.92.0/23 ! -i tailscale0 -j RETURN
-A ts-input -s 100.64.0.0/10 ! -i tailscale0 -j DROP
COMMIT
# Completed on Wed Apr 19 08:15:48 2023
# Generated by iptables-save v1.8.9 (nf_tables) on Wed Apr 19 08:15:48 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
:LIBVIRT_PRT - [0:0]
:ts-postrouting - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -j ts-postrouting
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j LIBVIRT_PRT
-A DOCKER -i docker0 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A ts-postrouting -m mark --mark 0x40000/0xff0000 -j MASQUERADE
COMMIT
# Completed on Wed Apr 19 08:15:48 2023

NFTリストルールセット

table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                ct state invalid drop comment "early drop of invalid connections"
                ct state { established, related } accept comment "allow tracked connections"
                iifname "lo" accept comment "allow from loopback"
                ip protocol icmp accept comment "allow icmp"
                meta l4proto ipv6-icmp accept comment "allow icmp v6"
                tcp dport 22 accept comment "allow sshd"
                meta pkttype host limit rate 5/second counter packets 10 bytes 4387 reject with icmpx admin-prohibited
                counter packets 134 bytes 101906
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
        }
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
        chain LIBVIRT_INP {
                iifname "virbr0" udp dport 53 counter packets 0 bytes 0 accept
                iifname "virbr0" tcp dport 53 counter packets 0 bytes 0 accept
                iifname "virbr0" udp dport 67 counter packets 0 bytes 0 accept
                iifname "virbr0" tcp dport 67 counter packets 0 bytes 0 accept
        }

        chain INPUT {
                type filter hook input priority filter; policy accept;
                counter packets 5223 bytes 29062872 jump ts-input
                counter packets 5311 bytes 29090912 jump LIBVIRT_INP
        }

        chain LIBVIRT_OUT {
                oifname "virbr0" udp dport 53 counter packets 0 bytes 0 accept
                oifname "virbr0" tcp dport 53 counter packets 0 bytes 0 accept
                oifname "virbr0" udp dport 68 counter packets 0 bytes 0 accept
                oifname "virbr0" tcp dport 68 counter packets 0 bytes 0 accept
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
                counter packets 5065 bytes 478957 jump LIBVIRT_OUT
        }

        chain LIBVIRT_FWO {
                iifname "virbr0" ip saddr 192.168.122.0/24 counter packets 0 bytes 0 accept
                iifname "virbr0" counter packets 0 bytes 0 xt target "REJECT"
        }

        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                counter packets 0 bytes 0 jump ts-forward
                counter packets 0 bytes 0 jump DOCKER-USER
                counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
                oifname "docker0" xt match "conntrack" counter packets 0 bytes 0 accept
                oifname "docker0" counter packets 0 bytes 0 jump DOCKER
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
                iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
                counter packets 0 bytes 0 jump LIBVIRT_FWX
                counter packets 0 bytes 0 jump LIBVIRT_FWI
                counter packets 0 bytes 0 jump LIBVIRT_FWO
        }

        chain LIBVIRT_FWI {
                oifname "virbr0" ip daddr 192.168.122.0/24 xt match "conntrack" counter packets 0 bytes 0 accept
                oifname "virbr0" counter packets 0 bytes 0 xt target "REJECT"
        }

        chain LIBVIRT_FWX {
                iifname "virbr0" oifname "virbr0" counter packets 0 bytes 0 accept
        }

        chain DOCKER {
        }

        chain DOCKER-ISOLATION-STAGE-1 {
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
                counter packets 0 bytes 0 return
        }

        chain DOCKER-ISOLATION-STAGE-2 {
                oifname "docker0" counter packets 0 bytes 0 drop
                counter packets 0 bytes 0 return
        }

        chain DOCKER-USER {
                counter packets 0 bytes 0 return
        }

        chain ts-input {
                iifname "lo" ip saddr 100.92.168.67 counter packets 0 bytes 0 accept
                iifname != "tailscale0" ip saddr 100.115.92.0/23 counter packets 0 bytes 0 return
                iifname != "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
        }

        chain ts-forward {
                iifname "tailscale0" counter packets 0 bytes 0 xt target "MARK"
                meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 accept
                oifname "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
                oifname "tailscale0" counter packets 0 bytes 0 accept
        }
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
        chain LIBVIRT_PRT {
                ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 1 bytes 40 return
                ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
                meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 xt target "MASQUERADE"
                meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 xt target "MASQUERADE"
                ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 xt target "MASQUERADE"
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                counter packets 421 bytes 28614 jump ts-postrouting
                oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 xt target "MASQUERADE"
                counter packets 465 bytes 31643 jump LIBVIRT_PRT
        }

        chain DOCKER {
                iifname "docker0" counter packets 0 bytes 0 return
        }

        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                xt match "addrtype" counter packets 12 bytes 4499 jump DOCKER
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
                ip daddr != 127.0.0.0/8 xt match "addrtype" counter packets 0 bytes 0 jump DOCKER
        }

        chain ts-postrouting {
                meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 xt target "MASQUERADE"
        }
}
# Warning: table ip mangle is managed by iptables-nft, do not touch!
table ip mangle {
        chain LIBVIRT_PRT {
                oifname "virbr0" udp dport 68 counter packets 0 bytes 0 xt target "CHECKSUM"
        }

        chain POSTROUTING {
                type filter hook postrouting priority mangle; policy accept;
                counter packets 5065 bytes 478957 jump LIBVIRT_PRT
        }
}
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
table ip6 filter {
        chain LIBVIRT_INP {
        }

        chain INPUT {
                type filter hook input priority filter; policy accept;
                counter packets 29 bytes 2072 jump ts-input
                counter packets 31 bytes 2340 jump LIBVIRT_INP
        }

        chain LIBVIRT_OUT {
        }

        chain OUTPUT {
                type filter hook output priority filter; policy accept;
                counter packets 102 bytes 8442 jump LIBVIRT_OUT
        }

        chain LIBVIRT_FWO {
        }

        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                counter packets 0 bytes 0 jump ts-forward
                counter packets 0 bytes 0 jump LIBVIRT_FWX
                counter packets 0 bytes 0 jump LIBVIRT_FWI
                counter packets 0 bytes 0 jump LIBVIRT_FWO
        }

        chain LIBVIRT_FWI {
        }

        chain LIBVIRT_FWX {
        }

        chain ts-input {
                iifname "lo" ip6 saddr fd7a:115c:a1e0:ab12:4843:cd96:625c:a843 counter packets 0 bytes 0 accept
        }

        chain ts-forward {
                iifname "tailscale0" counter packets 0 bytes 0 xt target "MARK"
                meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 accept
                oifname "tailscale0" counter packets 0 bytes 0 accept
        }
}
# Warning: table ip6 nat is managed by iptables-nft, do not touch!
table ip6 nat {
        chain LIBVIRT_PRT {
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                counter packets 24 bytes 2334 jump ts-postrouting
                counter packets 25 bytes 2444 jump LIBVIRT_PRT
        }

        chain ts-postrouting {
                meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 xt target "MASQUERADE"
        }
}
table ip6 mangle {
        chain LIBVIRT_PRT {
        }

        chain POSTROUTING {
                type filter hook postrouting priority mangle; policy accept;
                counter packets 102 bytes 8442 jump LIBVIRT_PRT
        }
}

関連情報