KVM host // networking

requirements

that should be enabled already

sysctl net.ipv4.ip_forward

also assuming table filter chain forward NAT accept

nft list ruleset | less
# ==> table inet chain forward

–either– casual setup

virsh net-list --all

# debian - enabled manually
virsh net-start default
virsh net-autostart default

–or– diy nat & bridge

the other way around is to NAT yourself

virsh net-destroy default
virsh net-autostart default --disable
# no need to undefine

setup a bridge

debian

vi /etc/network/interfaces

auto virbr0
iface virbr0 inet static
        address 192.168.122.1/24
        bridge_ports none

slackware

brctl addbr dummybr0
ifconfig dummybr0 192.168.122.1/24 up

shared

and setup NAT

vi /etc/nftables.conf

table ip nat {
        chain postrouting {
        ...
                # kvm
                ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 oif eth0 masquerade;
                ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 oif wlan0 masquerade;

ready to go

check

brctl show virbr0
ifconfig virbr0

#iptables -t nat -nvL
nft list ruleset | less
# ==> table ip nat

netstat -lntup | grep 192.168.122.1:53

and eventually point the guests against it

# --network bridge=virbr0,model=virtio \

vi /data/guests/$guest/$guest.xml

    <interface type='bridge'>
      <source bridge='virbr0'/>
      <model type='virtio'/>
    </interface>

additional notes

diy stub dns

cp -pi /etc/systemd/resolved.conf /etc/systemd/resolved.conf.dist
vi /etc/systemd/resolved.conf

DNSStubListenerExtra=192.168.122.1

systemctl restart systemd-resolved.service
netstat -lntup | grep -E ':53[[:space:]]'

resources

stub dns

https://unix.stackexchange.com/questions/445782/how-to-allow-systemd-resolved-to-listen-to-an-interface-other-than-loopback

https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSStubListenerExtra=