我刚刚在 Fedora 主机上的 VirtualBox 中设置了 Debian 来宾。我使用两个适配器:NAT(来宾的互联网,工作正常)和仅主机(ssh从主机到来宾nfs等)。我可以ssh从主人到客人,但反之则不行。实际上,除了ping和traceroute都给出结果之外,所有其他网络相关工具都会给出错误:“没有到主机的路由”。
一些信息:
主机IP为192.168.29.1。
axirma@dev:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:25:1f:71 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
inet6 fe80::a00:27ff:fe25:1f71/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:6d:16:e6 brd ff:ff:ff:ff:ff:ff
inet 192.168.29.2/24 brd 192.168.29.255 scope global eth1
inet6 fe80::a00:27ff:fe6d:16e6/64 scope link
valid_lft forever preferred_lft forever
axirma@dev:~$ ip route
default via 10.0.2.2 dev eth0
10.0.2.0/24 dev eth0 proto kernel scope link src 10.0.2.15
192.168.29.0/24 dev eth1 proto kernel scope link src 192.168.29.2
axirma@dev:~$ ip route get 192.168.29.1
192.168.29.1 dev eth1 src 192.168.29.2
cache ipid 0x1910 rtt 7ms rttvar 7ms cwnd 10
axirma@dev:~$ arp
Address HWtype HWaddress Flags Mask Iface
10.0.2.2 ether 52:54:00:12:35:02 C eth0
host ether 0a:00:27:00:00:00 C eth1
axirma@dev:~$ ping -c 4 192.168.29.1
PING 192.168.29.1 (192.168.29.1) 56(84) bytes of data.
64 bytes from 192.168.29.1: icmp_req=1 ttl=64 time=0.247 ms
64 bytes from 192.168.29.1: icmp_req=2 ttl=64 time=0.403 ms
64 bytes from 192.168.29.1: icmp_req=3 ttl=64 time=0.446 ms
64 bytes from 192.168.29.1: icmp_req=4 ttl=64 time=0.636 ms
--- 192.168.29.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 0.247/0.433/0.636/0.138 ms
axirma@dev:~$ traceroute 192.169.29.1
traceroute to 192.168.29.1 (192.168.29.1), 30 hops max, 60 byte packets
1 host (192.168.29.1) 0.152 ms !X 0.141 ms !X 0.143 ms !X
axirma@dev:~$ nc -vz 192.168.29.1 22
host [192.168.29.1] 22 (ssh) : No route to host
axirma@dev:~$ ssh [email protected]
ssh: connect to host 192.168.29.1 port 22: No route to host
如果我可以提供更多信息,请告诉我。
答案1
问题原因是 Fedora 主机上配置了默认防火墙,其规则集最终拒绝来自 VirtualBox 仅主机网络接口的传入数据包。如果我们查看下面的规则,我们会发现icmp数据包是允许的。这就是有效的原因ping。
[alexandru@the-host ~]$ sudo iptables -vL -t filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
435K 493M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
15 1559 ACCEPT icmp -- any any anywhere anywhere
20 1054 ACCEPT all -- lo any anywhere anywhere
51 11040 ACCEPT udp -- any any anywhere 224.0.0.251 state NEW udp dpt:mdns
25148 1821K REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 332K packets, 39M bytes)
pkts bytes target prot opt in out source destination
!X当我看到输出中出现防火墙时,我想到了防火墙的可能性tracerout,手册页上写着:“通信管理上被禁止”。如果我们查看上面的防火墙规则,我们可以看到traceroute udp数据包到达了链REJECT的最后一个全包规则INPUT。
后来,当我调试时nmap:
axirma@the-guest:~$ nmap -Pn -T4 192.168.57.1
Starting Nmap 6.00 ( http://nmap.org ) at 2013-11-12 16:28 EET
Nmap scan report for 192.168.57.1
Host is up (0.95s latency).
All 1000 scanned ports on 192.168.57.1 are filtered
Nmap done: 1 IP address (1 host up) scanned in 35.69 seconds
它说所有扫描的端口都会被过滤,手册页上说:“...意味着防火墙、过滤器或其他网络障碍正在阻止该端口”。
了解iptables输出后,很明显我需要添加额外的防火墙规则才能进行所需的通信。我个人的解决方案是以下补充/etc/sysconfig/iptables:
-A INPUT -i vboxnet0 -j ACCEPTREJECT,就在链条的全部包围之前INPUT。vboxnet0是在 VirtualBox 中创建的仅主机网络接口。