Re: Simple way of putting a VM on a LAN

[Bill Davidsen <davidsen@tmr.com>]

Javier Guerra wrote:
> On Wed, Jul 23, 2008 at 11:15 PM, Bill Davidsen <davidsen@tmr.com> wrote:
>> Your easy way seems to mean using Debian, other distributions don't have
>> some of the scripts, or they are in different places or do different things.
>> Other thoughts below.
> 
> yep, on Gentoo and SuSE i didn't find the included scripts flexible
> enough, so i did the same 'by hand'.  that was a few years ago, it
> might be better now; but it's not hard to do anyway.
> 
> 
>> Not being a trusting person I find that a bridge is an ineffective firewall,
> 
> a bridge isn't a firewall.  it's the software equivalent of plugging
> both your host and guest to an ethernet switch.  in most ways, your
> host 'steps out of the way'.

Maybe I didn't have my tongue far enough in my cheek... I do know what a 
bridge is, etc, I was referring to the desirability of using iptables 
for the forwarding. I must have looked at ebtables at one time, the 
package is loaded, but I don't remember having any instant "this is 
great" moments with it, so I'll have to reread the docs if I need more 
than the bridge.
> 
>> but with a bit of trickery that could live on the VM, to the extent it's
>> needed. Now the "sets up its own IP" is a mystery, since there's no place I
>> have told it what the IP of the machine it replaces might be. I did take the
> 
> as said before, it's as if your VM is directly plugged to the LAN.
> you just configure its network 'from inside'.  the host doesn't care
> what IP numbers it uses.  in fact, it could be using totally different
> protocols, just as long as they go over ethernet.

But when the host is really on the network, it uses DHCP to set the IP, 
while in a VM it never sends any DHCP packets, the setting of the IP 
times out, and I wind up with no IP until I set it. I have checked with 
tcpdump, the DHCP requests for IP appear on the bridge, but not on the 
eth0 NIC, and so are never seen by the DHCP server.

Do you see this problem, or have any information about it? Obviously 
suggestions on fixing this are needed, since the dhcp server is a 
candidate for virtualization in the future.
> 
>> hand does result in a working configuration, however, so other than the lack
>> of control from using iptables to forward packets, it works well.
> 
> you can use iptables.  maybe you have to setup ebtables, but in the
> end, just put rules in the FORWARD chains.  google for 'transparent
> firewall', or 'bridge iptables'
> 
>> of manual setup, it's faster than setting up iptables, and acceptably secure
>> as long as the kvm host is at least as secure as the original.
> 
> just do with your VM as you do with a 'real' box.  after that, you can
> use the fact that every packet to the VM has to pass through your eth0
> device; even if they don't appear on your INPUT chains.
> 


-- 
Bill Davidsen <davidsen@tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot