我在 qemu 上的计算机上运行了 guest ,其配置如下:
/usr/local/kvm/bin/qemu-system-x86_64 -enable-kvm -cpu host -smp 8 -hda ${TEST_VIRT_ENV_IMAGE} -m 4096
-netdev user,id=user.0 -device e1000,netdev=user.0
-net nic,model=e1000,vlan=1,macaddr=DE:AD:1E:00:00:01
-net tap,vlan=1,ifname=tapvm01,script=no,downscript=no
-net nic,model=e1000,vlan=2,macaddr=DE:AD:1E:00:00:02
-net tap,vlan=2,ifname=tapvm02,script=no,downscript=no
因此我的 guest ifconfig 如下所示:
#: ifconfig
eth0 //.. not necessery used only to programming/testing
eth1 //.. not necessery used only to programming/testing
eth2 Link encap:Ethernet HWaddr 52:54:00:12:34:56
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:60 errors:0 dropped:0 overruns:0 frame:0
TX packets:94 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8611 (8.4 KiB) TX bytes:14290 (13.9 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:480 (480.0 B) TX bytes:480 (480.0 B)
因此我的客人使用 eth2 和 ip:10.0.2.15 来访问互联网。(并且它可以连接到互联网)
然后我的主机通过wlan0连接到互联网
#: ifconfig
eth0 //not necessery (wireless connection)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2171145 errors:0 dropped:0 overruns:0 frame:0
TX packets:2171145 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3992926361 (3.9 GB) TX bytes:3992926361 (3.9 GB)
virbr0 Link encap:Ethernet HWaddr 02:3b:2b:ef:3b:11
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr dc:85:de:76:72:d7
inet addr:10.5.11.237 Bcast:10.5.11.255 Mask:255.255.255.0
inet6 addr: fe80::de85:deff:fe76:72d7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:658910 errors:0 dropped:0 overruns:0 frame:0
TX packets:1524898 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:645562692 (645.5 MB) TX bytes:464157688 (464.1 MB)
所以我有 virbr0 接口来将数据包转发给我的客户。
接下来我尝试允许访客从我的主机进行 ssh 登录:
iptables -t nat -I PREROUTING -d 10.5.11.237 -j DNAT --to-destination 10.0.2.15
iptables -t nat -I POSTROUTING -s 10.0.2.15 -j SNAT --to-source 10.5.11.237
iptables -I FORWARD -p tcp -d 10.0.2.15 --dport 22 -j ACCEPT
但之后我无法使用 ssh 连接到我的客户机
#: ssh 10.0.2.15 -l root
ssh: connect to host 10.0.2.15 port 22: Connection timed out
但我可以从我的客人那里做到这一点:
#: ssh 10.5.11.237 -l root
Welcome to Ubuntu....
因此,我有从客户机到主机的路由,但没有从主机到客户的路由。我的配置中遗漏了什么?
我的 iptables 规则如下
#: iptables -vL -n
Chain INPUT (policy ACCEPT 2785 packets, 5113K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.2.15 tcp dpt:22
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 2776 packets, 5117K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68