virt-manager安装虚拟机无法连接网络

技术交流与探讨 网络相关
1

使用virt-manager安装rocky9,6_minimul后,虚拟机无法连接网络。

libvirtd服务启动了,dnsmasq也拉起了,firewalld防火墙也没有启动,就是获取不了ip。

使用VMware是可以联网的,这是怎么回事?

图片
图片960×401 7.95 KB

❯ sudo systemctl status libvirtd
[sudo] hsa 的密码:
● libvirtd.service - libvirt legacy monolithic daemon
     Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; preset: disabled)
     Active: active (running) since Wed 2025-11-19 21:03:49 CST; 1h 28min ago
 Invocation: 06e41195fa224d11b72da7757bd16f21
TriggeredBy: ● libvirtd-admin.socket
             ● libvirtd-ro.socket
             ● libvirtd.socket
       Docs: man:libvirtd(8)
             https://libvirt.org/
   Main PID: 92749 (libvirtd)
      Tasks: 25 (limit: 32768)
     Memory: 48.5M (peak: 80.3M)
        CPU: 3.345s
     CGroup: /system.slice/libvirtd.service
             ├─ 1028 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp>
             ├─ 1029 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp>
             └─92749 /usr/bin/libvirtd --timeout 120

11月 19 22:32:15 cachyos-x8664 dnsmasq[1028]: using nameserver 119.29.29.29#53
11月 19 22:32:18 cachyos-x8664 dnsmasq[1028]: reading /etc/resolv.conf
11月 19 22:32:18 cachyos-x8664 dnsmasq[1028]: using nameserver 127.2.0.17#53
11月 19 22:32:18 cachyos-x8664 dnsmasq[1028]: using nameserver 119.29.29.29#53
11月 19 22:32:21 cachyos-x8664 dnsmasq[1028]: reading /etc/resolv.conf
11月 19 22:32:21 cachyos-x8664 dnsmasq[1028]: using nameserver 127.2.0.17#53
11月 19 22:32:21 cachyos-x8664 dnsmasq[1028]: using nameserver 119.29.29.29#53
11月 19 22:32:24 cachyos-x8664 dnsmasq[1028]: reading /etc/resolv.conf
11月 19 22:32:24 cachyos-x8664 dnsmasq[1028]: using nameserver 127.2.0.17#53
lines 1-27...skipping...
● libvirtd.service - libvirt legacy monolithic daemon
     Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; preset: disabled)
     Active: active (running) since Wed 2025-11-19 21:03:49 CST; 1h 28min ago
 Invocation: 06e41195fa224d11b72da7757bd16f21
TriggeredBy: ● libvirtd-admin.socket
             ● libvirtd-ro.socket
             ● libvirtd.socket
       Docs: man:libvirtd(8)
             https://libvirt.org/
   Main PID: 92749 (libvirtd)
      Tasks: 25 (limit: 32768)
     Memory: 48.5M (peak: 80.3M)
        CPU: 3.345s
     CGroup: /system.slice/libvirtd.service
             ├─ 1028 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
             ├─ 1029 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
             └─92749 /usr/bin/libvirtd --timeout 120

11月 19 22:32:15 cachyos-x8664 dnsmasq[1028]: using nameserver 119.29.29.29#53
11月 19 22:32:18 cachyos-x8664 dnsmasq[1028]: reading /etc/resolv.conf
11月 19 22:32:18 cachyos-x8664 dnsmasq[1028]: using nameserver 127.2.0.17#53
11月 19 22:32:18 cachyos-x8664 dnsmasq[1028]: using nameserver 119.29.29.29#53
11月 19 22:32:21 cachyos-x8664 dnsmasq[1028]: reading /etc/resolv.conf
11月 19 22:32:21 cachyos-x8664 dnsmasq[1028]: using nameserver 127.2.0.17#53
11月 19 22:32:21 cachyos-x8664 dnsmasq[1028]: using nameserver 119.29.29.29#53
11月 19 22:32:24 cachyos-x8664 dnsmasq[1028]: reading /etc/resolv.conf
11月 19 22:32:24 cachyos-x8664 dnsmasq[1028]: using nameserver 127.2.0.17#53
11月 19 22:32:24 cachyos-x8664 dnsmasq[1028]: using nameserver 119.29.29.29#53
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
lines 1-28/28 (END)...skipping...
● libvirtd.service - libvirt legacy monolithic daemon
     Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; preset: disabled)
     Active: active (running) since Wed 2025-11-19 21:03:49 CST; 1h 28min ago
 Invocation: 06e41195fa224d11b72da7757bd16f21
TriggeredBy: ● libvirtd-admin.socket
             ● libvirtd-ro.socket
             ● libvirtd.socket
       Docs: man:libvirtd(8)
             https://libvirt.org/
   Main PID: 92749 (libvirtd)
      Tasks: 25 (limit: 32768)
     Memory: 48.5M (peak: 80.3M)
        CPU: 3.345s
     CGroup: /system.slice/libvirtd.service
             ├─ 1028 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
             ├─ 1029 /usr/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
             └─92749 /usr/bin/libvirtd --timeout 120

11月 19 22:32:15 cachyos-x8664 dnsmasq[1028]: using nameserver 119.29.29.29#53
11月 19 22:32:18 cachyos-x8664 dnsmasq[1028]: reading /etc/resolv.conf
11月 19 22:32:18 cachyos-x8664 dnsmasq[1028]: using nameserver 127.2.0.17#53
11月 19 22:32:18 cachyos-x8664 dnsmasq[1028]: using nameserver 119.29.29.29#53
11月 19 22:32:21 cachyos-x8664 dnsmasq[1028]: reading /etc/resolv.conf
11月 19 22:32:21 cachyos-x8664 dnsmasq[1028]: using nameserver 127.2.0.17#53
11月 19 22:32:21 cachyos-x8664 dnsmasq[1028]: using nameserver 119.29.29.29#53
11月 19 22:32:24 cachyos-x8664 dnsmasq[1028]: reading /etc/resolv.conf
11月 19 22:32:24 cachyos-x8664 dnsmasq[1028]: using nameserver 127.2.0.17#53
11月 19 22:32:24 cachyos-x8664 dnsmasq[1028]: using nameserver 119.29.29.29#53
2

虚拟机里用的是systemd-networkd吗?

在宿主机里试试:

iptables -w -t mangle -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

virbr0替换成你的virt-manager用的网卡名称。

3

虚拟机用的不是systemd-networkd

加了iptables也不行,太难搞了,问ai也问不出来

4

那要不手动分配静态IP地址算了。

对了,你有装docker吗?要不iptables-save看看?

5

手动设置ip可以,但是连不上外网,也在/etc/resolv.conf设置了dns

我没有安装docker

6

不了解你「连不上外网」的具体表现。不过先iptables-save看看吧。

7

虚拟机里ping不通百度,不能用包管理器下载软件,但是能ping通8.8.8.8,

宿主机能ping通虚拟机。

iptables-save配置好后还是不能dhcp获取ip

图片
图片1283×401 5.62 KB

8

哦,是域名解析失败。那你ping一下你在/etc/resolv.conf里配置的DNS服务器看看?

9

8.8.8.8就是/etc/resolv.conf里配置的,ping其他的dns服务器ping不通,只能ping通/etc/resolv.conf的dns服务器。

10

诶,这样啊……那宿主机iptables-save的结果发出来看看?

11 
[root@cachyos-x8664 ~]# iptables-save
# Generated by iptables-save v1.8.11 (nf_tables) on Wed Nov 19 23:31:50 2025
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [544111:165741808]
:POSTROUTING ACCEPT [0:0]
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Nov 19 23:31:50 2025
# Generated by iptables-save v1.8.11 (nf_tables) on Wed Nov 19 23:31:50 2025
*filter
:INPUT DROP [248:10948]
:FORWARD DROP [157:12057]
:OUTPUT ACCEPT [162:8376]
:DROP_SPOOFING - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j DROP_SPOOFING
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A INPUT -p udp -m multiport --dports 53,67,68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP_SPOOFING
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DROP_SPOOFING -p udp -m udp --sport 53 -m string --hex-string "|00047f|" --algo bm --from 60 --to 180 -j DROP
-A DROP_SPOOFING -p udp -m udp --sport 53 -m string --hex-string "|000400000000|" --algo bm --from 60 --to 180 -j DROP
-A DROP_SPOOFING -p udp -m udp --sport 53 -m string --hex-string "|001000000000000000000000000000000000|" --algo bm --from 60 --to 180 -j DROP
-A DROP_SPOOFING -p udp -m udp --sport 53 -m string --hex-string "|001000000000000000000000000000000001|" --algo bm --from 60 --to 180 -j DROP
-A DROP_SPOOFING -p udp -m udp --sport 53 -m string --hex-string "|0010fc|" --algo bm --from 60 --to 180 -j DROP
-A DROP_SPOOFING -p udp -m udp --sport 53 -m string --hex-string "|0010fd|" --algo bm --from 60 --to 180 -j DROP
-A DROP_SPOOFING -p udp -m udp --sport 53 -m string --hex-string "|0010ff|" --algo bm --from 60 --to 180 -j DROP
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Wed Nov 19 23:31:50 2025
# Generated by iptables-save v1.8.11 (nf_tables) on Wed Nov 19 23:31:50 2025
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [2630:203608]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Nov 19 23:31:50 2025
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
[root@cachyos-x8664 ~]#
12

看你那么多ufw的字样,是它干的吧……

13

可能是因为我装了atrust和向日葵这两个软件其中一个导致的,最有可能的就是这两个软件了。

但我工作要用到,没办法了,只能用VMware了 :sob:

14

你可以自己修改规则的。比如iptables -P FORWARD ACCEPT给它改回来试试。

15

真的是iptables的问题,我直接复制iptables-save给ai让他直接写了个重新配置iptables的脚本给我,直接运行之后重启就解决了。

谢谢大佬的解答!!!

我还以为我只能用VMware了 :sob: