V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Distributions
Ubuntu
Fedora
CentOS
中文资源站
网易开源镜像站
ecloud
V2EX  ›  Linux

libvirtd 自动创建的那个 192.168.122.0 网段究竟能不能用来做 DNAT?有人实践成功了吗?

  •  
  •   ecloud ·
    yecloud · 2018-12-18 15:15:33 +08:00 · 3182 次点击
    这是一个创建于 2169 天前的主题,其中的信息可能已经有所发展或是发生改变。
    看了不少网上的资料都说 OK
    然而我自己的实验却是 DNAT 无法联通
    现在怀疑是 libvirtd 自动生成的 MASQUERADE 规则的影响
    因为所有 to x.x.x.x 和 to127.0.0.1 的 DNAT 都是可以的
    nat 表现在是长成这样
    [root@www ~]# iptables -L -t nat
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    PREROUTING_direct all -- anywhere anywhere
    PREROUTING_ZONES_SOURCE all -- anywhere anywhere
    PREROUTING_ZONES all -- anywhere anywhere

    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    OUTPUT_direct all -- anywhere anywhere

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    RETURN all -- 192.168.122.0/24 base-address.mcast.net/24
    RETURN all -- 192.168.122.0/24 255.255.255.255
    MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
    MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
    MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
    POSTROUTING_direct all -- anywhere anywhere
    POSTROUTING_ZONES_SOURCE all -- anywhere anywhere
    POSTROUTING_ZONES all -- anywhere anywhere

    Chain OUTPUT_direct (1 references)
    target prot opt source destination

    Chain POSTROUTING_ZONES (1 references)
    target prot opt source destination
    POST_public all -- anywhere anywhere [goto]
    POST_public all -- anywhere anywhere [goto]
    POST_public all -- anywhere anywhere [goto]

    Chain POSTROUTING_ZONES_SOURCE (1 references)
    target prot opt source destination

    Chain POSTROUTING_direct (1 references)
    target prot opt source destination
    SNAT all -- 192.168.122.0/24 anywhere to:x.x.x.x

    Chain POST_public (3 references)
    target prot opt source destination
    POST_public_log all -- anywhere anywhere
    POST_public_deny all -- anywhere anywhere
    POST_public_allow all -- anywhere anywhere

    Chain POST_public_allow (1 references)
    target prot opt source destination

    Chain POST_public_deny (1 references)
    target prot opt source destination

    Chain POST_public_log (1 references)
    target prot opt source destination

    Chain PREROUTING_ZONES (1 references)
    target prot opt source destination
    PRE_public all -- anywhere anywhere [goto]
    PRE_public all -- anywhere anywhere [goto]
    PRE_public all -- anywhere anywhere [goto]

    Chain PREROUTING_ZONES_SOURCE (1 references)
    target prot opt source destination

    Chain PREROUTING_direct (1 references)
    target prot opt source destination
    DNAT tcp -- anywhere x.x.x.x tcp dpt:9722 to:x.x.x.x:9922
    DNAT tcp -- anywhere x.x.x.x tcp dpt:9822 to:192.168.122.100:22
    DNAT tcp -- anywhere x.x.x.x tcp dpt:http to:192.168.122.100:80
    DNAT tcp -- anywhere x.x.x.x tcp dpt:9622 to:192.168.122.4:22

    Chain PRE_public (3 references)
    target prot opt source destination
    PRE_public_log all -- anywhere anywhere
    PRE_public_deny all -- anywhere anywhere
    PRE_public_allow all -- anywhere anywhere

    Chain PRE_public_allow (1 references)
    target prot opt source destination
    DNAT tcp -- anywhere anywhere mark match 0x64 to::9922

    Chain PRE_public_deny (1 references)
    target prot opt source destination

    Chain PRE_public_log (1 references)
    target prot opt source destination
    3 条回复    2018-12-19 10:05:10 +08:00
    ecloud
        1
    ecloud  
    OP
       2018-12-18 18:42:21 +08:00
    好吧,终于搞清楚了
    网上那些资料都过时了,libvirtd 现在喜欢强行插入,把 firewalld 的规则挤到了后面,呵呵……
    吐槽 1: 都是作为 RedHat 的主打产品,你这俩程序就不能协调一下,非要-I 强行插入?
    吐槽 2: virbir0 的配置能不能给个开关,至少给我们个 DMZ 模式用啊(或者已经有了我不知道)

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    11 2013 ACCEPT all -- * * 0.0.0.0/0 192.168.122.0/24
    8 1981 ACCEPT all -- * * 192.168.122.0/24 0.0.0.0/0
    15339 47M ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
    21126 1360K ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
    0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
    56 2924 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
    0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
    0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
    0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
    yuedingwangji
        2
    yuedingwangji  
       2018-12-18 20:00:05 +08:00 via Android
    我是直接桥接,iptables 都关了
    lolizeppelin
        3
    lolizeppelin  
       2018-12-19 10:05:10 +08:00
    可以关阿 有个 xml 删了就行了
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1173 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 27ms · UTC 18:38 · PVG 02:38 · LAX 10:38 · JFK 13:38
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.