libvirtd 自动创建的那个 192.168.122.0 网段究竟能不能用来做 DNAT?有人实践成功了吗?
ecloud · yecloud · 2018-12-18 15:15:33 +08:00 · 3177 次点击这是一个创建于 2156 天前的主题,其中的信息可能已经有所发展或是发生改变。
看了不少网上的资料都说 OK
然而我自己的实验却是 DNAT 无法联通
现在怀疑是 libvirtd 自动生成的 MASQUERADE 规则的影响
因为所有 to x.x.x.x 和 to127.0.0.1 的 DNAT 都是可以的
nat 表现在是长成这样
[root@www ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PREROUTING_direct all -- anywhere anywhere
PREROUTING_ZONES_SOURCE all -- anywhere anywhere
PREROUTING_ZONES all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 192.168.122.0/24 base-address.mcast.net/24
RETURN all -- 192.168.122.0/24 255.255.255.255
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
POSTROUTING_direct all -- anywhere anywhere
POSTROUTING_ZONES_SOURCE all -- anywhere anywhere
POSTROUTING_ZONES all -- anywhere anywhere
Chain OUTPUT_direct (1 references)
target prot opt source destination
Chain POSTROUTING_ZONES (1 references)
target prot opt source destination
POST_public all -- anywhere anywhere [goto]
POST_public all -- anywhere anywhere [goto]
POST_public all -- anywhere anywhere [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
target prot opt source destination
Chain POSTROUTING_direct (1 references)
target prot opt source destination
SNAT all -- 192.168.122.0/24 anywhere to:x.x.x.x
Chain POST_public (3 references)
target prot opt source destination
POST_public_log all -- anywhere anywhere
POST_public_deny all -- anywhere anywhere
POST_public_allow all -- anywhere anywhere
Chain POST_public_allow (1 references)
target prot opt source destination
Chain POST_public_deny (1 references)
target prot opt source destination
Chain POST_public_log (1 references)
target prot opt source destination
Chain PREROUTING_ZONES (1 references)
target prot opt source destination
PRE_public all -- anywhere anywhere [goto]
PRE_public all -- anywhere anywhere [goto]
PRE_public all -- anywhere anywhere [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
target prot opt source destination
Chain PREROUTING_direct (1 references)
target prot opt source destination
DNAT tcp -- anywhere x.x.x.x tcp dpt:9722 to:x.x.x.x:9922
DNAT tcp -- anywhere x.x.x.x tcp dpt:9822 to:192.168.122.100:22
DNAT tcp -- anywhere x.x.x.x tcp dpt:http to:192.168.122.100:80
DNAT tcp -- anywhere x.x.x.x tcp dpt:9622 to:192.168.122.4:22
Chain PRE_public (3 references)
target prot opt source destination
PRE_public_log all -- anywhere anywhere
PRE_public_deny all -- anywhere anywhere
PRE_public_allow all -- anywhere anywhere
Chain PRE_public_allow (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere mark match 0x64 to::9922
Chain PRE_public_deny (1 references)
target prot opt source destination
Chain PRE_public_log (1 references)
target prot opt source destination
然而我自己的实验却是 DNAT 无法联通
现在怀疑是 libvirtd 自动生成的 MASQUERADE 规则的影响
因为所有 to x.x.x.x 和 to127.0.0.1 的 DNAT 都是可以的
nat 表现在是长成这样
[root@www ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PREROUTING_direct all -- anywhere anywhere
PREROUTING_ZONES_SOURCE all -- anywhere anywhere
PREROUTING_ZONES all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 192.168.122.0/24 base-address.mcast.net/24
RETURN all -- 192.168.122.0/24 255.255.255.255
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
POSTROUTING_direct all -- anywhere anywhere
POSTROUTING_ZONES_SOURCE all -- anywhere anywhere
POSTROUTING_ZONES all -- anywhere anywhere
Chain OUTPUT_direct (1 references)
target prot opt source destination
Chain POSTROUTING_ZONES (1 references)
target prot opt source destination
POST_public all -- anywhere anywhere [goto]
POST_public all -- anywhere anywhere [goto]
POST_public all -- anywhere anywhere [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
target prot opt source destination
Chain POSTROUTING_direct (1 references)
target prot opt source destination
SNAT all -- 192.168.122.0/24 anywhere to:x.x.x.x
Chain POST_public (3 references)
target prot opt source destination
POST_public_log all -- anywhere anywhere
POST_public_deny all -- anywhere anywhere
POST_public_allow all -- anywhere anywhere
Chain POST_public_allow (1 references)
target prot opt source destination
Chain POST_public_deny (1 references)
target prot opt source destination
Chain POST_public_log (1 references)
target prot opt source destination
Chain PREROUTING_ZONES (1 references)
target prot opt source destination
PRE_public all -- anywhere anywhere [goto]
PRE_public all -- anywhere anywhere [goto]
PRE_public all -- anywhere anywhere [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
target prot opt source destination
Chain PREROUTING_direct (1 references)
target prot opt source destination
DNAT tcp -- anywhere x.x.x.x tcp dpt:9722 to:x.x.x.x:9922
DNAT tcp -- anywhere x.x.x.x tcp dpt:9822 to:192.168.122.100:22
DNAT tcp -- anywhere x.x.x.x tcp dpt:http to:192.168.122.100:80
DNAT tcp -- anywhere x.x.x.x tcp dpt:9622 to:192.168.122.4:22
Chain PRE_public (3 references)
target prot opt source destination
PRE_public_log all -- anywhere anywhere
PRE_public_deny all -- anywhere anywhere
PRE_public_allow all -- anywhere anywhere
Chain PRE_public_allow (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere mark match 0x64 to::9922
Chain PRE_public_deny (1 references)
target prot opt source destination
Chain PRE_public_log (1 references)
target prot opt source destination
 |
1
ecloud OP 好吧,终于搞清楚了
网上那些资料都过时了,libvirtd 现在喜欢强行插入,把 firewalld 的规则挤到了后面,呵呵…… 吐槽 1: 都是作为 RedHat 的主打产品,你这俩程序就不能协调一下,非要-I 强行插入? 吐槽 2: virbir0 的配置能不能给个开关,至少给我们个 DMZ 模式用啊(或者已经有了我不知道) Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 11 2013 ACCEPT all -- * * 0.0.0.0/0 192.168.122.0/24 8 1981 ACCEPT all -- * * 192.168.122.0/24 0.0.0.0/0 15339 47M ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED 21126 1360K ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 56 2924 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited |
 |
2
yuedingwangji 2018-12-18 20:00:05 +08:00 via Android
我是直接桥接,iptables 都关了
|
 |
3
lolizeppelin 2018-12-19 10:05:10 +08:00
可以关阿 有个 xml 删了就行了
|
Select Language