Qemu and networking

2005 May 25 at 08:38 » Tagged as :virtualization, lame,

It is said that a qemu guest operating system can talk to it's host operating system through the network with the help something called tun/tap, something which I am ashamed to say I have never heard of before.

Configuring network cards, ppp or routing tables has never been my strong point, so TUN/TAP isn't something that I approached with eagerness. But having successfuly setup qemu, networking is sorely needed if it is to be made full use of. It's just too bad that there isn't anything really usefull on google about this topic.

After struggling unsuccessfully to asign an 192.168.x.x IP to the guest operating system (the NIC on the host system has such an IP), I decided to rever to the default 172.20.x.x ip (which is in fact asigned by DHCP). The original qemu-ifup script was also reverted to. It assigned 172.20.0.1 to the tun0 interface on the host.

I can open a socket connection in 5 different programming languages but ask me to set up a NAT and I would struggle. Having said that I still needed to enable NAT so that the guest system could access the outside world. Fortunately, I can type in :

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

and

echo 1 > /proc/sys/net/ipv4/ip_forward

by rote. There is still another issue to be addressed; I have a webserver on the host system with about a dozen IP virtual hosted sites. Since all the IPs are private network IPs they do not have DNS entries, that meant the hosts file on the guest system had to be edited. That's only a part of the solution becuase it's not practical to create a dozen virtual NICs every host entries, all host entries point to the same IP. That calls for a another set of iptable rules.

First I try adding rules to the PREROUTING chain, then after tearing my hair tried the same with the OUTPUT chain still without success, finally I jumped to the wrong conclusion that tun0 is not too concerned about obeying iptables rules. That was proved wrong by the simple rule

iptables -A INPUT -i tun0 -j DROP

After struggling with it a little longer, I finally realised that had I chosen to set up a few virtual nics I would have finished it in less than 5 minutes. This is of course the down side of being a geek.

← Back to home