在 Ubuntu 18.04 主机下,我从克隆的 HD 设置了 Ubuntu 10.04 来宾虚拟机。虚拟机启动正常,我可以从主机通过 ssh 进入它,但它无法与主机外部进行通信。
我的问题是我的以下配置有什么问题:
访客虚拟机:
开始于qemu-system-x86_64 G.qcow2 -m 4096 -smp 4 -no-acpi -enable-kvm -name system76 -vga std -device virtio-net,netdev=net0 -netdev tap,id=net0,ifname=tap0,script=no,downscript=no,br=br0vm
使用 GUI/网络管理器手动进行网络配置。静态IP 192.168.118.18,掩码255.255.255.0,gw 192.168.118.1,dns 192.168.118.1(我认为我在路由器上使用的策略也适用于此,尽管这可能是一个错误)。
不知怎的,ifconfig报告了我认为没有配置的接口。我认为通过qemu上面的行我们定义了net0,但是,在下面,我们看到了eth1和virbr0!
# ifconfig
eth1 Link encap:Ethernet HWaddr 52:54:00:12:34:56
inet addr:192.168.118.18 Bcast:192.168.118.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1203 errors:0 dropped:0 overruns:0 frame:0
TX packets:1606 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:114773 (114.7 KB) TX bytes:290952 (290.9 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:313 errors:0 dropped:0 overruns:0 frame:0
TX packets:313 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:45604 (45.6 KB) TX bytes:45604 (45.6 KB)
virbr0 Link encap:Ethernet HWaddr 1e:8f:5c:98:b1:25
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::1c8f:5cff:fe98:b125/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:13004 (13.0 KB)
主机配置:
apt install uml-utilities
apt install bridge-utils
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
ip link add name br0vm type bridge
ip addr add 192.168.118.1/24 dev br0vm
ip link set br0vm up
tunctl -t tap0 -u asoundmove
ip link set tap0 up
brctl addif br0vm tap0
mkdir /etc/qemu
vi /etc/qemu/bridge.conf
allow br0vm
# test access to the guest - it works
ssh [email protected]
iptables -t nat -A POSTROUTING -o br0vm -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eno1 -i br0vm -j ACCEPT
尝试一下:
我可以从访客 ping 主机:
ping 192.168.118.1
PING 192.168.118.1 (192.168.118.1) 56(84) bytes of data.
64 bytes from 192.168.118.1: icmp_seq=1 ttl=64 time=0.152 ms
64 bytes from 192.168.118.1: icmp_seq=2 ttl=64 time=0.145 ms
我无法从访客 ping 主机连接到的交换机/路由器,以下 ping 不返回任何内容:
ping 192.168.117.1
两个 ping 请求(117.1 和 118.1)都显示在tcpdumpguesteth1和 host上,位于guest 上的请求下方br0vm。tcpdumpping 192.168.117.1
tcpdump -i br0vm not port ssh
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0vm, link-type EN10MB (Ethernet), capture size 262144 bytes
11:57:34.211291 IP 192.168.118.18 > routerlogin.net: ICMP echo request, id 55320, seq 1, length 64
11:57:35.216163 IP 192.168.118.18 > routerlogin.net: ICMP echo request, id 55320, seq 2, length 64
11:57:36.215940 IP 192.168.118.18 > routerlogin.net: ICMP echo request, id 55320, seq 3, length 64
11:57:37.215919 IP 192.168.118.18 > routerlogin.net: ICMP echo request, id 55320, seq 4, length 64
11:57:39.205837 ARP, Request who-has host.hostname tell 192.168.118.18, length 28
11:57:39.205859 ARP, Reply host.hostname is-at 4e:31:b7:14:1b:a9 (oui Unknown), length 28
watch -d -n 1 iptables -nvL
Chain INPUT (policy ACCEPT 2604K packets, 21G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
50 4200 ACCEPT all -- br0vm eno1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1974K packets, 43G bytes)
pkts bytes target prot opt in out source destination
计数器50 4200随着每个 ping 请求而增加
watch -d -n 1 iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 4283 packets, 510K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 4175 packets, 503K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 9155 packets, 663K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 9227 packets, 666K bytes)
pkts bytes target prot opt in out source destination
25 3789 MASQUERADE all -- * br0vm 0.0.0.0/0 0.0.0.0/0
然而,25 3789计数器不会随着每个 ping 请求而增加。
从主机来看,这是有效的:
ping 192.168.117.1
PING 192.168.117.1 (192.168.117.1) 56(84) bytes of data.
64 bytes from 192.168.117.1: icmp_seq=1 ttl=64 time=0.609 ms
64 bytes from 192.168.117.1: icmp_seq=2 ttl=64 time=0.585 ms
我做错了什么,118 子网上的 IP 流量没有转发到 117 子网?
编辑:
附加信息:
ip -br link
lo UNKNOWN 00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
eno1 UP 30:9c:23:9b:eb:df <BROADCAST,MULTICAST,UP,LOWER_UP>
br0vm UP 4e:31:b7:14:1b:a9 <BROADCAST,MULTICAST,UP,LOWER_UP>
tap0 UP 4e:31:b7:14:1b:a9 <BROADCAST,MULTICAST,UP,LOWER_UP>
ip -br address
lo UNKNOWN 127.0.0.1/8 ::1/128
eno1 UP 192.168.117.110/24 fe80::8fae:b4f2:8b90:7601/64
br0vm UP 192.168.118.1/24 fe80::a46d:86ff:fe2a:ddbf/64
tap0 UP fe80::4c31:b7ff:fe14:1ba9/64
ip route
default via 192.168.117.1 dev eno1 proto static metric 100
169.254.0.0/16 dev eno1 scope link metric 1000
192.168.117.0/24 dev eno1 proto kernel scope link src 192.168.117.110 metric 100
192.168.118.0/24 dev br0vm proto kernel scope link src 192.168.118.1
答案1
MASQUERADE 规则发生在 POSTROUTING 时:即在做出路由决策并选择目标接口之后。为了与外部通信,主机将使用 192.168.117.1 通过诺1。所以MASQUERADE规则标准应该是使用输出接口时诺1而不是br0vm。
因此,您应该使用:
iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
但由于这可能会产生不良影响(例如:将其他主机的 IP 伪装为其默认 IP 等),并且由于桥接器会产生一些副作用,这些副作用可能会在以后因完全不相关的原因而出现(已描述)这里和那里)如果您做了一些特定的更改,恕我直言,这是可以使用的最佳简单规则:
iptables -t nat -A POSTROUTING -s 192.168.118.0/24 ! -d 192.168.118.0/24 -j MASQUERADE