IPTables NAT 和虚拟接口

tag-icon tag-icon linux networking virtual-machine iptables nat
IPTables NAT 和虚拟接口

我有 2 台运行 CentOS 7 的虚拟机,配置如下ifconfig

VM1: ifconfig
eth0: public ip
eth0:0: LAN IP 172.22.xx.x1

VM2: ifconfig
eth0: no public ip
eth0:0: LAN IP 172.22.xx.x2

我希望VM2能够访问互联网。有什么办法可以实现吗?

我尝试了您能想到的所有组合iptables POSTROUTING, PREROUTING, FORWARD, DNAT, SNET,但route都无济于事。我肯定做错了什么。

有人有一个简单的例子说明如何实现这一点吗?

为了测试VM2外部访问,我正在 ping www.google.com(和 IP)——但分别得到未知主机和 100% 的数据包丢失。

编辑-更多信息

tcpdump -nni eth0:0 icmp不断运行VM1ping 8.8.8.8产生VM2以下结果:

09:28:05.957841 IP VM2 private ip > 8.8.8.8: ICMP echo request, id 13950, seq 6, length 64
09:28:05.957900 IP VM1 public ip > 8.8.8.8: ICMP echo request, id 13950, seq 6, length 64
09:28:05.959157 IP 8.8.8.8 > VM1 public ip: ICMP echo reply, id 13950, seq 6, length 64
09:28:05.959172 IP 8.8.8.8 > VM2 private ip: ICMP echo reply, id 13950, seq 6, length 64

VM2没有收到数据包。这是我的iptables脚本VM1

echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush tables
iptables -F
iptables -t nat -F

iptables -A FORWARD -i eth0:0 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables-save > /etc/sysconfig/iptables
service iptables restart

对于:routeVM2

route add default gw <VM1 private ip>

编辑 2-更多信息

VM2 route

[travis@VM2 ~]$ sudo route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.22.20.195   0.0.0.0         UG    0      0        0 eth0
172.22.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0

VM1 iptables

[travis@VM1 ~]$ sudo iptables -vnL
Chain INPUT (policy ACCEPT 3039 packets, 651K bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain FORWARD (policy ACCEPT 88 packets, 6598 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     all  --  eth0:0 eth0    0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy ACCEPT 2602 packets, 304K bytes)
 pkts bytes target     prot opt in     out     source               destination        

[travis@VM1 ~]$ sudo iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 114 packets, 9000 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain INPUT (policy ACCEPT 81 packets, 6692 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 167 packets, 10845 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
  200 13153 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

相关内容