t09's questions

What is the correct way to setup NAT networking between KVM vm and host?

KVM vm:

No firewall Installed

$ sudo arp-scan -r 5 -t 1000 --interface=eth0 --localnet

10.0.2.2     52:55:0a:00:02:02    locally administered
10.0.2.3     52:55:0a:00:02:03    locally administered

$ ip r

default via 10.0.2.2 dev eth0 proto dhcp metric 100
10.0.2.0/24 dev eth0 proto kernel scope link src 10.0.2.15 metric 100

ifconfig

eth0: inet 10.0.2.15 netmask 255.255.255.0 broacast 10.0.2.255
      ether 52:54:00:12:34:56
lo: inet 127.0.0.1 netmask 255.0.0.0
      inet6 ::1

Host:

:~$ ip r

0.0.0.0/1 via 10.211.1.10 dev tun0 
default via 192.168.1.1 dev wlan0 proto dhcp metric 600 
10.21xxxxxxxx dev tun0 proto kernel scope link src 10.21xxxxx 
xxxxxxxxxxxx dev wlan0 
128.0.0.0/1 via 10.211.1.10 dev tun0 
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.172 metric 600 
192.168.4.0/22 dev eth0 proto kernel scope link src 192.168.4.8 metric 100 

:~$ ifconfig

 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet 10.0.2.3  netmask 255.0.0.0  broadcast 10.255.255.255
    inet6 fe80::76c8:79b4:88d4:7f5c  prefixlen 64  scopeid 0x20<link>
    ether ec:8e:b5:71:33:6e  txqueuelen 1000  (Ethernet)
    RX packets 1700  bytes 194730 (190.1 KiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 2862  bytes 246108 (240.3 KiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    device interrupt 16  memory 0xe1000000-e1020000  

 lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
    inet 127.0.0.1  netmask 255.0.0.0
    inet6 ::1  prefixlen 128  scopeid 0x10<host>
    loop  txqueuelen 1000  (Local Loopback)
    RX packets 13251  bytes 7933624 (7.5 MiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 13251  bytes 7933624 (7.5 MiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
    inet 10.211.1.69  netmask 255.255.255.255  destination 10.211.1.70
    inet6 fe80::a920:941c:ffa8:5579  prefixlen 64  scopeid 0x20<link>
    unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
    RX packets 4348  bytes 2242726 (2.1 MiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 3823  bytes 404190 (394.7 KiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet 192.168.1.172  netmask 255.255.255.0  broadcast 192.168.1.255
    inet6 fe80::651b:5014:7929:9ba3  prefixlen 64  scopeid 0x20<link>
    ether d8:55:a3:d5:d1:30  txqueuelen 1000  (Ethernet)
    RX packets 114455  bytes 117950099 (112.4 MiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 67169  bytes 14855011 (14.1 MiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0 

~$ sudo arp-scan -r 5 -t 1000 --localnet

just hangs......

Host can not ping 10.0.2.2

No firewall enable

Tried

$ sudo ip route add default via 10.0.2.0
$ sudo ip route add default via 10.0.2.2
$ sudo ip route add default via 10.0.2.0/24

Can NAT work without virsh ?

Can NAT be fixed from command line only ?

Update:

$ sudo ip link add natbr0 type bridge
$ sudo ip link set dev natbr0 up
$ sudo ip link set dev eth0 up
$ sudo ip link set dev eth0 master natbr0

that works to bridge eth0 slave to kvm - vm can ping other computers on the network. but not the host @Tom Yan answer combined with archlinux-Network_bridge created above commands that can ping other network ip's

So i tried to change working bridge connection to allow host and kvm to talk.

Goal: host$ ping kvm

$ sudo ip link add natbr0 type bridge
$ sudo ip link set dev natbr0 up
$ sudo ip a add 10.0.2.1/24 dev natbr0
$ sudo kvm -m 3G -hdb /dev/sde  -nic bridge,br=natbr0
kvm$ sudo ip link add natbr0 type bridge
kvm$ sudo ip a add 10.0.2.2
kvm$ sudo ip link set dev natbr0 up
kvm can ping it self 

$ ping 10.0.2.2

PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data
64 bytes from 10.0.2.2: icmp_seq=1 ttl=64 time=0.027 ms

but kvm$ping 10.0.2.1

Destination Host Unreachable

host$ ping 10.0.2.2

(just hangs)

Prefer command line to test the resilience of process/system bare bones vs a lot of scripts that can pose more vulnerability to failure. - command line works or not and errors are more easily traced, isolated and reproducible. Depending on linux flavor, certain scripts/parts of scripts (like those incorporated in xml alternative solutions offered) may work or not work. If bridging with kvm can be reproduced on any linux flavor by following commands above....then it seems possible that kvm NAT can also be achieved using cli commands - just to clarify the point of this post , cli steps to NAT kvm will be more standardized, so preferable.

generally @NikitaKipriyanov answer was the correct road, this was the answer but required a tweak to command

$ sudo kvm -m 3G -hdb /dev/sde -net nic -net user,hostfwd=tcp::1810-:22

using command tweak vm can communicate with internet like default and also communicate with host via ssh. credit to @NikitaKipriyanov and @cnst for the tweak https://stackoverflow.com/a/54120040

User will need to ssh using port 1810 using localhost address

$ ssh p@localhost -p 1810

• Debian 10 desktop with persistence

root@debian:~# df -h
Filesystem      Size  Used Avail Use% Mounted on
udev            3.8G     0  3.8G   0% /dev
tmpfs           767M   19M  749M   3% /run
/dev/sdb1       2.9G  2.9G     0 100% /run/live/persistence/sdb1
/dev/loop0      2.6G  2.6G     0 100% /run/live/rootfs/filesystem.squashfs
tmpfs           3.8G     0  3.8G   0% /run/live/overlay
/dev/sdb3       4.9G  4.6G   32M 100% /run/live/persistence/sdb3
overlay         4.9G  4.6G   32M 100% /
tmpfs           3.8G     0  3.8G   0% /dev/shm
tmpfs           5.0M  4.0K  5.0M   1% /run/lock
tmpfs           3.8G     0  3.8G   0% /sys/fs/cgroup
tmpfs           3.8G   56K  3.8G   1% /tmp
tmpfs           767M  6.8M  761M   1% /run/user/1000
tmpfs           767M  8.0K  767M   1% /run/user/0
/dev/sda2       239G  229G   10G  96% /media/root/741229F01229B7CE
/dev/sdb4       2.0G   61M  2.0G   3% /media/root/cache-apt

• apt-get update executes without a single error

• Something happened to firefox-esr on this system.

• sudo apt install -y python3-venv

  Depends: python3-distutils (>= 3.7.2-1~) but it is not going to be installed
  

1. debian requires firefox-esr or chromium to be installed. This causing problems with venv install.
2. Fix broken firefox-esr:

 :~# apt --fix-broken install

The following packages will be upgraded:
firefox-esr
1 upgraded, 0 newly installed, 0 to remove and 7 not upgraded.
66 not fully installed or removed.
Need to get 56.0 MB of archives.
After this operation, 19.5 kB of additional disk space will be used.
E: You don't have enough free space in /var/cache/apt/archives/.

• Try apt cleaning options

sudo apt-get autoclean
sudo apt-get autoremove 
sudo apt-get clean

• Try re-route the location where .debs are stored:

Link: re-route the location where .debs are stored

mkdir /media/apt-mount/
mount /dev/sdb4 /media/root/cache-apt/
sudo mv -i /var/cache/apt /media/apt-mount/
ln -s /media/apt-mount/apt/ /var/cache/apt

apt-get update still executes without any error msg

apt --fix-broken install still causes

E: You don't have enough free space in /var/cache/apt/archives/.

How to fix not enough free space error ?

Two debian machines

Debian 10 Kali Linux 2020 rolling

lak:~# sudo ssh -XC [email protected]

works to forward specific programs like firefox, nautilus

connected via ethernet lan

Things noticed

• Nautilus works with only a slight lag compared to local desktop x display of nautilus,

• Firefox lags so user can not enter settings, unsuably slow response, hangs on X ing out of browser window.

• GNUcash works perfectly - no lag no problems closing or 'X-ing' out

• using the ssh -C switch for compression but that does not help.

• two network cards on both machines so both machines can apt-get update while also connected by ssh on separate eth0 card. so both machines have tested internet connection

Any suggestions to make programs like firefox usable through ssh forwarding?