我在一台机器上进行了 KVM 虚拟化。我使用 Ubuntu Server + Cloudmin(为了管理虚拟机实例)。
在主机系统上我有四个网络接口:
ebadmin@saturn:/var/log$ ifconfig
br0 Link encap:Ethernet HWaddr 10:78:d2:ec:16:38
inet addr:192.168.0.253 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::1278:d2ff:feec:1638/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:589337 errors:0 dropped:0 overruns:0 frame:0
TX packets:334357 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:753652448 (753.6 MB) TX bytes:43385198 (43.3 MB)
br1 Link encap:Ethernet HWaddr 6e:a4:06:39:26:60
inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::6ca4:6ff:fe39:2660/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16995 errors:0 dropped:0 overruns:0 frame:0
TX packets:13309 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2059264 (2.0 MB) TX bytes:1763980 (1.7 MB)
eth0 Link encap:Ethernet HWaddr 10:78:d2:ec:16:38
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:610558 errors:0 dropped:0 overruns:0 frame:0
TX packets:332382 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:769477564 (769.4 MB) TX bytes:44360402 (44.3 MB)
Interrupt:20 Memory:fe400000-fe420000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:239632 errors:0 dropped:0 overruns:0 frame:0
TX packets:239632 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:50738052 (50.7 MB) TX bytes:50738052 (50.7 MB)
tap0 Link encap:Ethernet HWaddr 6e:a4:06:39:26:60
inet6 addr: fe80::6ca4:6ff:fe39:2660/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17821 errors:0 dropped:0 overruns:0 frame:0
TX packets:13703 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:2370468 (2.3 MB) TX bytes:1782356 (1.7 MB)
br0 连接到真实网络,br1 用于创建客户系统之间共享的私有网络。
现在我需要配置 iptables 来进行网络访问。
首先,我允许主机系统上端口 8022 上的 ssh 会话,然后我允许所有处于 RELATED、ESTABLISHED 状态的连接。
一切正常。
我以客户身份安装了另一个系统,它的 IP 地址是 192.168.10.2,现在我遇到了两个问题:
我想允许从该主机访问外部世界,但无法实现。我可以从主机 ssh 访问。
我希望能够使用 8023 端口从外部世界 ssh 到客户机。无法实现这一点。
完整的 iptables 配置如下:
ebadmin@saturn:/var/log$ sudo iptables --list
[sudo] password for ebadmin:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:8022
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
ebadmin@saturn:/var/log$ sudo iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp spt:8023 to:192.168.10.2:22
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
最糟糕的是,我不知道如何解读 iptables 日志。我看不到防火墙的最终决定。
急需帮助。
答案1
为客户机设置第二个虚拟网卡,并将其桥接到br0
主机上。
答案2
尝试使用 SSH 的强大功能!编辑您的配置:
vi ~/.ssh/config
Host saturn
HostName saturn.yourdomain.com # little shortcut
Host guest1
ProxyCommand ssh -q saturn nc -q0 guest1.internal.name 22 #(or SSH port)
然后,从外部世界,你可以这样做:
ssh myuser@guest1
然后主机就会直接把你扔进去。不要为此而摆弄 iptables。