从我的主机系统(Ubuntu 22.04.3 LTS)到我的客户虚拟机(Ubuntu 22.04.3 LTS)的端口转发工作正常。
找到解决方案。更多详细信息请见末尾。
我对 Linux 还很陌生,这个路由问题对我来说太难了 :-(。我尝试了几个 HowTos,但我的连接尝试被拒绝。我必须在主机系统上使用 NAT,因为系统是托管的,我不能使用桥接模式并从路由器/外部 DHCP 服务器获取 IP
iptables-save -t nat
返回
*nat
:PREROUTING ACCEPT [56:4139]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:LIBVIRT_PRT - [0:0]
-A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.122.38:443
-A PREROUTING -d <<PUBLIC_IP_FROM_ISP>>/32 -p tcp -m tcp --dport 443 -m comment --comment "KVM 443 port forwarding to guest" -j DNAT --to-destination 192.168.122.38:443
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
如果我使用 nmap(nmap -sT -p- )检查主机系统上的开放端口,我会得到以下信息
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
4330/tcp open dey-sapi
9090/tcp open zeus-admin
44321/tcp open pmcd
44322/tcp open pmcdproxy
44323/tcp open pmwebapi
主机上针对我的客户虚拟机发出的相同请求返回我需要的所有开放端口。
22/tcp open ssh
80/tcp open http
443/tcp open https
我的目标是为我们的 Web 解决方案设置单独的 VM,以便能够轻松地将系统迁移到另一台服务器,或者在我们进行/测试主要更新之前创建一个简单的快照。
我使用默认的 nat bridge 来为我的 guestVM MAC 地址保留 IP,该地址是在初始 KVM 设置期间设置的。
感谢大家的帮助和支持。
更新01额外的iptables数据:
更多 iptables 数据:
sudo iptables -xvnL
Chain INPUT (policy DROP 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
508137 59430407 LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
508088 59399010 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
508088 59399010 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
81 5972 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
81 5972 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
81 5972 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
81 5972 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4275 385908 ACCEPT tcp -- * virbr0 0.0.0.0/0 192.168.122.38 tcp dpt:443
6273 11957555 LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0
6273 11957555 LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0
4949 863499 LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2 packets, 80 bytes)
pkts bytes target prot opt in out source destination
507394 26565600 LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
507370 26534860 ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
507370 26534860 ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
66302 4131995 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
66302 4131995 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
66302 4131995 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
66302 4131995 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_FWI (1 references)
pkts bytes target prot opt in out source destination
1324 11094056 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWO (1 references)
pkts bytes target prot opt in out source destination
4949 863499 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_INP (1 references)
pkts bytes target prot opt in out source destination
28 2187 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
109 35546 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain LIBVIRT_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
1 60 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
109 36832 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
1 60 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
1 52 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
438270 21925333 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
69721 37466909 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 120 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
3 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
14 728 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
14 728 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
438270 21925333 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2798 477532 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
66222 4126075 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
3 120 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
14 728 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
65549 3932940 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
711 195455 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
13 676 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9090
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Doug Smythies要求再加一个
sudo iptables -t nat -xvnL
Chain PREROUTING (policy ACCEPT 244 packets, 45721 bytes)
pkts bytes target prot opt in out source destination
1006 60836 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.122.38:443
0 0 DNAT tcp -- * * 0.0.0.0/0 <<PublicIP>> tcp dpt:443 /* 443 port forwarding */ to:192.168.122.38:443
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
286599 17352173 LIBVIRT_PRT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_PRT (1 references)
pkts bytes target prot opt in out source destination
1 40 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
5 300 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
92 6992 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
如果指定的客户操作系统正在启动,则更新 02 qemu 文件以进行端口转发
/etc/libvirt/钩子/qemu
#!/bin/bash
# IMPORTANT: Change the "VM NAME" string to match your actual VM Name.
# In order to create rules to other VMs, just duplicate the below block and configure
# it accordingly.
if [ "${1}" = "Ubuntu_NextCloud" ]; then
# Update the following variables to fit your setup
GUEST_IP=192.168.122.38
GUEST_PORT1=8080
HOST_PORT1=80
GUEST_PORT2=4433
HOST_PORT2=443
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -D FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT1 -j ACCEPT
/sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT1 -j DNAT --to $GUEST_IP:$GUEST_PORT1
/sbin/iptables -D FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT2 -j ACCEPT
/sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -I FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT1 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT1 -j DNAT --to $GUEST_IP:$GUEST_PORT1
/sbin/iptables -I FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport $GUEST_PORT2 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2
fi
fi
我需要改进我的 qemu-hook 脚本。它缺少我的网卡到互联网的接口选项(在我的情况下是 -i ens6),因此所有接口的所有流量都被重新路由到虚拟机。
if [ "${1}" = "<<YOUR_VMNAME>>" ]; then
# Update the following variables to fit your setup
GUEST_IP=192.168.122.XXX
GUEST_PORT1=80
HOST_PORT1=80
GUEST_PORT2=443
HOST_PORT2=443
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -D FORWARD -o virbr0 -p tcp -i ens6 -d $GUEST_IP --dport $GUEST_PORT1 -j ACCEPT
/sbin/iptables -t nat -D PREROUTING -p tcp -i ens6 --dport $HOST_PORT1 -j DNAT --to $GUEST_IP:$GUEST_PORT1
/sbin/iptables -D FORWARD -o virbr0 -p tcp -i ens6 -d $GUEST_IP --dport $GUEST_PORT2 -j ACCEPT
/sbin/iptables -t nat -D PREROUTING -p tcp -i ens6 --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -I FORWARD -o virbr0 -p tcp -i ens6 -d $GUEST_IP --dport $GUEST_PORT1 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp -i ens6 --dport $HOST_PORT1 -j DNAT --to $GUEST_IP:$GUEST_PORT1
/sbin/iptables -I FORWARD -o virbr0 -p tcp -i ens6 -d $GUEST_IP --dport $GUEST_PORT2 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp -i ens6 --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2
fi
fi
我希望这个解决方案可以为其他人节省一些时间:-)。
答案1
我需要改进我的 qemu-hook 脚本。它缺少我的网卡到互联网的接口选项(在我的情况下是 -i ens6),因此所有接口的所有流量都被重新路由到虚拟机。
if [ "${1}" = "<<YOUR_VMNAME>>" ]; then
# Update the following variables to fit your setup
GUEST_IP=192.168.122.XXX
GUEST_PORT1=80
HOST_PORT1=80
GUEST_PORT2=443
HOST_PORT2=443
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -D FORWARD -o virbr0 -p tcp -i ens6 -d $GUEST_IP --dport $GUEST_PORT1 -j ACCEPT
/sbin/iptables -t nat -D PREROUTING -p tcp -i ens6 --dport $HOST_PORT1 -j DNAT --to $GUEST_IP:$GUEST_PORT1
/sbin/iptables -D FORWARD -o virbr0 -p tcp -i ens6 -d $GUEST_IP --dport $GUEST_PORT2 -j ACCEPT
/sbin/iptables -t nat -D PREROUTING -p tcp -i ens6 --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -I FORWARD -o virbr0 -p tcp -i ens6 -d $GUEST_IP --dport $GUEST_PORT1 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp -i ens6 --dport $HOST_PORT1 -j DNAT --to $GUEST_IP:$GUEST_PORT1
/sbin/iptables -I FORWARD -o virbr0 -p tcp -i ens6 -d $GUEST_IP --dport $GUEST_PORT2 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp -i ens6 --dport $HOST_PORT2 -j DNAT --to $GUEST_IP:$GUEST_PORT2
fi
fi
我希望这个解决方案可以为其他人节省一些时间:-)。