libvirtd 自动创建的那个 192.168.122.0 网段究竟能不能用来做 DNAT?有人实践成功了吗?

2018-12-18 15:15:33 +08:00
 ecloud
看了不少网上的资料都说 OK
然而我自己的实验却是 DNAT 无法联通
现在怀疑是 libvirtd 自动生成的 MASQUERADE 规则的影响
因为所有 to x.x.x.x 和 to127.0.0.1 的 DNAT 都是可以的
nat 表现在是长成这样
[root@www ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PREROUTING_direct all -- anywhere anywhere
PREROUTING_ZONES_SOURCE all -- anywhere anywhere
PREROUTING_ZONES all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 192.168.122.0/24 base-address.mcast.net/24
RETURN all -- 192.168.122.0/24 255.255.255.255
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
POSTROUTING_direct all -- anywhere anywhere
POSTROUTING_ZONES_SOURCE all -- anywhere anywhere
POSTROUTING_ZONES all -- anywhere anywhere

Chain OUTPUT_direct (1 references)
target prot opt source destination

Chain POSTROUTING_ZONES (1 references)
target prot opt source destination
POST_public all -- anywhere anywhere [goto]
POST_public all -- anywhere anywhere [goto]
POST_public all -- anywhere anywhere [goto]

Chain POSTROUTING_ZONES_SOURCE (1 references)
target prot opt source destination

Chain POSTROUTING_direct (1 references)
target prot opt source destination
SNAT all -- 192.168.122.0/24 anywhere to:x.x.x.x

Chain POST_public (3 references)
target prot opt source destination
POST_public_log all -- anywhere anywhere
POST_public_deny all -- anywhere anywhere
POST_public_allow all -- anywhere anywhere

Chain POST_public_allow (1 references)
target prot opt source destination

Chain POST_public_deny (1 references)
target prot opt source destination

Chain POST_public_log (1 references)
target prot opt source destination

Chain PREROUTING_ZONES (1 references)
target prot opt source destination
PRE_public all -- anywhere anywhere [goto]
PRE_public all -- anywhere anywhere [goto]
PRE_public all -- anywhere anywhere [goto]

Chain PREROUTING_ZONES_SOURCE (1 references)
target prot opt source destination

Chain PREROUTING_direct (1 references)
target prot opt source destination
DNAT tcp -- anywhere x.x.x.x tcp dpt:9722 to:x.x.x.x:9922
DNAT tcp -- anywhere x.x.x.x tcp dpt:9822 to:192.168.122.100:22
DNAT tcp -- anywhere x.x.x.x tcp dpt:http to:192.168.122.100:80
DNAT tcp -- anywhere x.x.x.x tcp dpt:9622 to:192.168.122.4:22

Chain PRE_public (3 references)
target prot opt source destination
PRE_public_log all -- anywhere anywhere
PRE_public_deny all -- anywhere anywhere
PRE_public_allow all -- anywhere anywhere

Chain PRE_public_allow (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere mark match 0x64 to::9922

Chain PRE_public_deny (1 references)
target prot opt source destination

Chain PRE_public_log (1 references)
target prot opt source destination
3185 次点击
所在节点    Linux
3 条回复
ecloud
2018-12-18 18:42:21 +08:00
好吧,终于搞清楚了
网上那些资料都过时了,libvirtd 现在喜欢强行插入,把 firewalld 的规则挤到了后面,呵呵……
吐槽 1: 都是作为 RedHat 的主打产品,你这俩程序就不能协调一下,非要-I 强行插入?
吐槽 2: virbir0 的配置能不能给个开关,至少给我们个 DMZ 模式用啊(或者已经有了我不知道)

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
11 2013 ACCEPT all -- * * 0.0.0.0/0 192.168.122.0/24
8 1981 ACCEPT all -- * * 192.168.122.0/24 0.0.0.0/0
15339 47M ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
21126 1360K ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
56 2924 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
yuedingwangji
2018-12-18 20:00:05 +08:00
我是直接桥接,iptables 都关了
lolizeppelin
2018-12-19 10:05:10 +08:00
可以关阿 有个 xml 删了就行了

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/518635

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX