我正在笔记本电脑上设置虚拟网桥,这样我就可以将多个虚拟机连接到它作为虚拟实验室环境。我希望我的笔记本电脑将数据包从网桥路由到我的实际网络接口,以便虚拟机可以访问互联网。我不希望网络接口本身被桥接。
为此,我建立了一个名为 vmnet 的网桥并为其指定了一个 IP 地址。
5: vmnet: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether d6:3a:11:0f:b1:67 brd ff:ff:ff:ff:ff:ff
inet 172.20.0.1/24 scope global vmnet
valid_lft forever preferred_lft forever
我已经dnsmasq设置好监听该桥并将 IP 地址分发给那些虚拟机,范围从 172.20.0.100 到 172.20.0.150。
为了使路由正常运行,我在内核中启用了 IPv4 转发:
$ cat /proc/sys/net/ipv4/ip_forward
1
在主机上,我可以 ping 网络中的其他设备,例如我的路由器和我的树莓派:
$ ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.807 ms
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.807/0.807/0.807/0.000 ms
$ ping -c 1 192.168.1.33
PING 192.168.1.33 (192.168.1.33) 56(84) bytes of data.
64 bytes from 192.168.1.33: icmp_seq=1 ttl=64 time=0.365 ms
--- 192.168.1.33 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.365/0.365/0.365/0.000 ms
VM 从中获取 IP 地址dnsmasq,并且可以通过网桥和物理地址 ping 通主机:
root@archiso ~ # ping -c 1 172.20.0.1
PING 172.20.0.1 (172.20.0.1) 56(84) bytes of data.
64 bytes from 172.20.0.1: icmp_seq=1 ttl=64 time=0.072 ms
--- 172.20.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.072/0.072/0.072/0.000 ms
root@archiso ~ # ping -c 1 192.168.1.53
PING 192.168.1.53 (192.168.1.53) 56(84) bytes of data.
64 bytes from 192.168.1.53: icmp_seq=1 ttl=64 time=0.150 ms
--- 192.168.1.53 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.150/0.150/0.150/0.000 ms
然而,当我尝试 ping 网络上的设备时,会导致数据包丢失:
root@archiso ~ # ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
1 root@archiso ~ # ping -c 1 192.168.1.33
PING 192.168.1.33 (192.168.1.33) 56(84) bytes of data.
--- 192.168.1.33 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
主机和虚拟机上的 iptables 都是空的:
$ sudo !!
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
在主机上,我可以看到来自虚拟机并通过网络发出的 ping 消息,甚至可以看到它们由树莓派返回,但我看不到它们返回到我的笔记本电脑:
# On the laptop
$ sudo tcpdump -i enp0s25 -qtln icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s25, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 172.20.0.121 > 192.168.1.33: ICMP echo request, id 14, seq 1, length 64
# On the raspberry pi
$ sudo tcpdump -i eth0 -qtln icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 172.20.0.121 > 192.168.1.33: ICMP echo request, id 14, seq 1, length 64
IP 192.168.1.33 > 172.20.0.121: ICMP echo reply, id 14, seq 1, length 64
通过谷歌搜索,我尝试禁用rp_filter所有涉及的接口,但这似乎没有任何区别。
我是否忽略了配置中的一些明显问题?我该如何解决?
答案1
发完这个问题一分钟后,我突然想到:其他设备不知道如何将数据包路由到我的网桥,它们不知道那个网络。我必须使用 NAT 来转换 ping,就好像它们来自我的笔记本电脑的 IP 地址一样。
sudo iptables -t nat -A POSTROUTING -j MASQUERADE