
What is the correct way to setup NAT networking between KVM vm and host?

KVM vm:

No firewall Installed

$ sudo arp-scan -r 5 -t 1000 --interface=eth0 --localnet     52:55:0a:00:02:02    locally administered     52:55:0a:00:02:03    locally administered

$ ip r

default via dev eth0 proto dhcp metric 100 dev eth0 proto kernel scope link src metric 100


eth0: inet netmask broacast
      ether 52:54:00:12:34:56
lo: inet netmask
      inet6 ::1


:~$ ip r via dev tun0 
default via dev wlan0 proto dhcp metric 600 
10.21xxxxxxxx dev tun0 proto kernel scope link src 10.21xxxxx 
xxxxxxxxxxxx dev wlan0 via dev tun0 dev wlan0 proto kernel scope link src metric 600 dev eth0 proto kernel scope link src metric 100 

:~$ ifconfig

 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet  netmask  broadcast
    inet6 fe80::76c8:79b4:88d4:7f5c  prefixlen 64  scopeid 0x20<link>
    ether ec:8e:b5:71:33:6e  txqueuelen 1000  (Ethernet)
    RX packets 1700  bytes 194730 (190.1 KiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 2862  bytes 246108 (240.3 KiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    device interrupt 16  memory 0xe1000000-e1020000  

 lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
    inet  netmask
    inet6 ::1  prefixlen 128  scopeid 0x10<host>
    loop  txqueuelen 1000  (Local Loopback)
    RX packets 13251  bytes 7933624 (7.5 MiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 13251  bytes 7933624 (7.5 MiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    inet  netmask  destination
    inet6 fe80::a920:941c:ffa8:5579  prefixlen 64  scopeid 0x20<link>
    unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
    RX packets 4348  bytes 2242726 (2.1 MiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 3823  bytes 404190 (394.7 KiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet  netmask  broadcast
    inet6 fe80::651b:5014:7929:9ba3  prefixlen 64  scopeid 0x20<link>
    ether d8:55:a3:d5:d1:30  txqueuelen 1000  (Ethernet)
    RX packets 114455  bytes 117950099 (112.4 MiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 67169  bytes 14855011 (14.1 MiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0 

~$ sudo arp-scan -r 5 -t 1000 --localnet

just hangs......

Host can not ping

No firewall enable


$ sudo ip route add default via
$ sudo ip route add default via
$ sudo ip route add default via

Can NAT work without virsh ?

Can NAT be fixed from command line only ?


$ sudo ip link add natbr0 type bridge
$ sudo ip link set dev natbr0 up
$ sudo ip link set dev eth0 up
$ sudo ip link set dev eth0 master natbr0

that works to bridge eth0 slave to kvm - vm can ping other computers on the network. but not the host @Tom Yan answer combined with archlinux-Network_bridge created above commands that can ping other network ip's

So i tried to change working bridge connection to allow host and kvm to talk.

Goal: host$ ping kvm

$ sudo ip link add natbr0 type bridge
$ sudo ip link set dev natbr0 up
$ sudo ip a add dev natbr0
$ sudo kvm -m 3G -hdb /dev/sde  -nic bridge,br=natbr0
kvm$ sudo ip link add natbr0 type bridge
kvm$ sudo ip a add
kvm$ sudo ip link set dev natbr0 up
kvm can ping it self 

$ ping

PING ( 56(84) bytes of data
64 bytes from icmp_seq=1 ttl=64 time=0.027 ms

but kvm$ping

Destination Host Unreachable

host$ ping

(just hangs)

Prefer command line to test the resilience of process/system bare bones vs a lot of scripts that can pose more vulnerability to failure. - command line works or not and errors are more easily traced, isolated and reproducible. Depending on linux flavor, certain scripts/parts of scripts (like those incorporated in xml alternative solutions offered) may work or not work. If bridging with kvm can be reproduced on any linux flavor by following commands above....then it seems possible that kvm NAT can also be achieved using cli commands - just to clarify the point of this post , cli steps to NAT kvm will be more standardized, so preferable.

generally @NikitaKipriyanov answer was the correct road, this was the answer but required a tweak to command

$ sudo kvm -m 3G -hdb /dev/sde -net nic -net user,hostfwd=tcp::1810-:22

using command tweak vm can communicate with internet like default and also communicate with host via ssh. credit to @NikitaKipriyanov and @cnst for the tweak https://stackoverflow.com/a/54120040

User will need to ssh using port 1810 using localhost address

$ ssh p@localhost -p 1810

  Info from `ip r` and `ip a` with information about which nic is from your KVM, and maybe also your kvm machines commandline should help to help you with your issue. ` -nic user,model=virtio` gives you user mode NAT If what you want is actually nat from the host to your network, then: `iptables -t nat -A POSTROUTING -s $vmnet -j MASQUERADE` will give you NAT
  Does this answer your question? [host port forward with qemu through libvirt in user-mode networking](https://serverfault.com/questions/890520/host-port-forward-with-qemu-through-libvirt-in-user-mode-networking)
  _iptables -t .... MASQUERADE_ gives output : Bad argument `MASQUERADE' . And _iptables -t nat -A POSTROUTING -o Brii -j MASQUERADE_ is accepted by host but kvm still can not ping host or internet
  Notice, bridging has nothing to do with NAT and routing. Don't mix them up. If you want bridging, remove "NAT" and "ip route" and friends everywhere, you are not going to use that. Your VM will appear alongside your host in some network (that might be a network private to the host and VM, but that's anoher story). On the other hand, if you are going to use user mode NAT, you certainly don't need bridge at all (as it is developed to relieve the whole need to use bridge in the first place).
  The other answer (by @TomYan) is the *another story* I mentioned. He suggests you to go that approach, i. e. from using user mode NAT you use NAT in the host OS. That's workable approach, but it is certainly *harder* and *more cumbersome* than just to spell command line options correctly.
  i was running tests on kvm to see if it could NAT like Virt-Manager without the bloat and heavy heavy load virt-manager demands in resources. I will research the cli application of libvirt to this issue and post results if successful.

The common idea of NAT is that you don't see translated addresses. You don't have routes to them. They don't exist for you. You only see only the addresses whichever those are translated into.

The QEMU case is nothing different. In this case, your host is "outside", your VM is "inside", so VM could never be accesses by the address it is assigned to. You have address of the VM, but when it reaches Internet, its packets get translated into by the QEMU process, so host considers those packets as created by the QEMU process and treats them like any other packets, say, from locally running web browser or anything like that.

How to access a VM from the host? When we have NAT, to reach hosts hidden behind it, we install DNAT rules. And again, the case of QEMU is no different, you must set up some rules into it, and then you may communicate with the VM from the host (of from other hosts, if you want) by sending packets to selected ports of the host address.

According to the QEMU documentation, to setup DNAT rules into its usermode NAT, you use the hostfwd clause. Let's introduce the following into its command line:

    -netdev user,id=usernet0,hostfwd=tcp::11111-:22 \
    -device virtio-net-pci,netdev=usernet0,mac=08:00:27:92:B0:51

Then, tcp port 11111 will be occupied by the qemu-system-x86_64 process on my machine, and if you connect to the localhost port 11111, the connection will be made to the port 22 of the VM.

The general form is hostfwd=hostip:hostport-guestip:guestport, but if you omit hostip, it'll be localhost, and if you omit guestip, it'll be first "non-gateway" address inside guest network.

I noticed you are mentioned virsh. Are you running libvirt? Then the question is duplicate; see comments.

Nikita Kipriyanov
  thank you,answer makes sense - i am still doing something wrong. `$ sudo kvm -m 3G -hdb /dev/sde netdev user,id=usernet0,hostfwd=tcp::11111-:22` Output: `qemu-system-x86_64: netdev: Could not open 'netdev': No such file or directory` I read QEMU documentation link - any tutorials explain this step by step i can follow ?
  `$ sudo kvm -m 3G -hdb /dev/sde netdev user,id=usernet0,hostfwd=tcp::11111-:22 device virtio-net-pci,netdev=usernet0,mac=08:00:27:92:B0:51` Same Output: `qemu-system-x86_64: netdev: Could not open 'netdev': No such file or directory`
  • 1
    Just fix the typo; you forgot the `-` in `-netdev user,...`
  • 1
    Actually `(S)NAT` (in the non-qemu-specific sense) does not prevent the VM from being able to reach the host. Rather it "masquerade" the traffics from the VM such that they look to be originate from the VM host to the network hosts in the same LAN as that (e.g. its default gateway). Technically it does not even prevent traffics from the those hosts to reach the VM (but just that the replying traffics from the VM will not appear to be replies to them).
  What actually "isolates" the VM is, AFAIK, the fact that `-netdev user` is a userspace network stack within qemu itself: https://wiki.qemu.org/Documentation/Networking#User_Networking_.28SLIRP.29, which is why you won't see anything new pops up in `ip l` on the host. It's just that many user will just use that for a "NAT-approach" setup (because it's the default), so it become like a synonym to NAT in the qemu context. The truth is you can use a bridge without a physical slave and relies on IP forwarding for Internet connection in the VMs.
  `-netdev` must be with a dash, really. That's the QEMU command line option.
  generally this was the answer but required a tweak to command $ sudo kvm -m 3G -hdb /dev/sde -net nic -net user,hostfwd=tcp::1810-:22

You can use a bridge without enslaving any of your physical Ethernet interfaces on the VM host to it.

Say we stick with the choice of subnet (which is NOT necessary):

# ip l add natbr0 type bridge
# ip a add dev natbr0

Then create the following file:

$ echo 'allow natbr0' | sudo tee /etc/qemu/bridge.conf 
allow natbr0

Then start qemu with the e.g. -nic bridge,br=natbr0 or -netdev bridge,br=natbr0,id=nb0 -device virtio-net,netdev=nb0, which will tap your VM to the bridge in a dynamic manner (i.e. the tap interface will be removed once the the VM is shut down).

You'll need to configure static IP on the VM as well:

# ip a add dev ens3
# ip r add default via

Unless you also set up a DHCP server (with e.g. dnsmasq) on the host. Don't forget to configure the DNS server to use inside the VM as well.

Note that VMs that make use of the same bridge can communicate with each other unless you block such communication by some means (e.g. ebtables).

The default route (and DNS server to use) are only necessary if you want the VM to be able to reach the "outside". If you only need it to be able to communicate with the VM host, you should skip the second command and can stop reading. (Well, read the P.S.)

It would be probably be best to configure e.g. dnsmasq on the host to be a DNS forwarder if you do not want to use a specific "public" DNS server in the VM, although using DNAT to forward DNS requests to e.g. should work for basic ones.

Then you'll need to enable IP forwarding:

# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

If you want to avoid IP forwarding from/to certain network interface (e.g. tun0) for security reasons, you'll need to set up a firewall. For example:

# iptables -A FORWARD -i tun0 -j DROP
# iptables -A FORWARD -o tun0 -j DROP

Since you have (VPN) tunnel routes that practically overrides the default route, the traffics from the VM to the Internet will go into the tunnel as well (unless you added the example rules above). If you want the traffics to go e.g. via your router, you'll need policy routing. For example:

# ip ru add iif natbr0 lookup table 123
# ip r add dev wlan0 table 123 # probably optional
# ip r add default via table 123

You can also prevent your VMs from being able to reach your LAN hosts:

# iptables -A FORWARD -i natbr0 -d -j DROP

Make exceptions (note the -I) if you are going to redirect DNS requests to your router:

# iptables -I FORWARD -i natbr0 -d -p tcp --dport 53 -j ACCEPT
# iptables -I FORWARD -i natbr0 -d -p udp --dport 53 -j ACCEPT

Finally, configure iptables to perform SNAT dynamically (as per the outbound interface) for your VM subnet:

# iptables -t nat -A POSTROUTING -s -j MASQUERADE

Note that this is NOT intended to and will not exactly prevent certain traffics from the "outside" (your physical LAN hosts or the Internet; the VM host does not count) to be able to reach your VMs. It merely breaks the communication as a side effect when the source address of replying traffics from the VMs are changed before their forwarded out. For proper isolation, you will need (additional) appropriate rules in the FORWARD chain. Consider having a "stateful" setup there if you have such need.

Additionally, you can redirect DNS requests to the host from the VMs to your router:

iptables -t nat -A PREROUTING -d -p udp --dport 53 -j DNAT --to-destination
iptables -t nat -A PREROUTING -d -p tcp --dport 53 -j DNAT --to-destination

Which will more or less allow you to use as the DNS server in the VM.

P.S. All the manipulations above (except the creation of / write to /etc/qemu/bridge.conf) are volatile, i.e. they will be gone once you reboot (unless your distro does something silly). I'm not going to dive into how you can make them persistent, since there are different ways/approaches and it can be distro-specific.

Tom Yan
  had to create /etc/qemu/ dir....Not sure i am spinning up the vm correctly. Tried `sudo kvm -m 3G -hdb /dev/sde -netdev bridge,br=natbr0,id=nb0 -device virtio-net,netdev=nb0` and `$ sudo kvm -m 3G -hdb /dev/sde -nic bridge,br=natbr0,id=usernet0` and `$ sudo kvm -m 3G -hdb /dev/sde -nic bridge,br=natbr0,id=usernet0` vm started
  on vm: `$ip a ...3: natbr0: ...state UNKOWN group default qlen 1000` _ifconfig_ `natbr0: inet netmask broadcast` _$sudo ip r add default via `Error: any valid address is expected rather than "`
  That was a typo. `/24` shouldn't be used in that command.
  There was another typo: the command `ip a add` should have something like `dev ens3` instead. (Check inside the VM with `ip l` to find out the interface name to use. Make sure you are aware that *the whole command block* that consists of the command should be run *on the VM*.)