KVM + Cloudmin + IpTables

KVM + Cloudmin + IpTables

我在一台机器上进行了 KVM 虚拟化。我使用 Ubuntu Server + Cloudmin(为了管理虚拟机实例)。

在主机系统上我有四个网络接口:

ebadmin@saturn:/var/log$ ifconfig
br0       Link encap:Ethernet  HWaddr 10:78:d2:ec:16:38
    inet addr:192.168.0.253  Bcast:192.168.0.255  Mask:255.255.255.0
    inet6 addr: fe80::1278:d2ff:feec:1638/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    RX packets:589337 errors:0 dropped:0 overruns:0 frame:0
    TX packets:334357 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:753652448 (753.6 MB)  TX bytes:43385198 (43.3 MB)

br1       Link encap:Ethernet  HWaddr 6e:a4:06:39:26:60
    inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
    inet6 addr: fe80::6ca4:6ff:fe39:2660/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    RX packets:16995 errors:0 dropped:0 overruns:0 frame:0
    TX packets:13309 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:2059264 (2.0 MB)  TX bytes:1763980 (1.7 MB)

eth0      Link encap:Ethernet  HWaddr 10:78:d2:ec:16:38
    UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    RX packets:610558 errors:0 dropped:0 overruns:0 frame:0
    TX packets:332382 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:769477564 (769.4 MB)  TX bytes:44360402 (44.3 MB)
    Interrupt:20 Memory:fe400000-fe420000

lo        Link encap:Local Loopback
    inet addr:127.0.0.1  Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING  MTU:16436  Metric:1
    RX packets:239632 errors:0 dropped:0 overruns:0 frame:0
    TX packets:239632 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:50738052 (50.7 MB)  TX bytes:50738052 (50.7 MB)

tap0      Link encap:Ethernet  HWaddr 6e:a4:06:39:26:60
    inet6 addr: fe80::6ca4:6ff:fe39:2660/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    RX packets:17821 errors:0 dropped:0 overruns:0 frame:0
    TX packets:13703 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:500
    RX bytes:2370468 (2.3 MB)  TX bytes:1782356 (1.7 MB)

br0 连接到真实网络,br1 用于创建客户系统之间共享的私有网络。

现在我需要配置 iptables 来进行网络访问。

首先,我允许主机系统上端口 8022 上的 ssh 会话,然后我允许所有处于 RELATED、ESTABLISHED 状态的连接。

一切正常。

我以客户身份安装了另一个系统,它的 IP 地址是 192.168.10.2,现在我遇到了两个问题:

  1. 我想允许从该主机访问外部世界,但无法实现。我可以从主机 ssh 访问。

  2. 我希望能够使用 8023 端口从外部世界 ssh 到客户机。无法实现这一点。

完整的 iptables 配置如下:

ebadmin@saturn:/var/log$ sudo iptables --list
[sudo] password for ebadmin:
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8022
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere             LOG level warning

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             LOG level warning

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             LOG level warning
ebadmin@saturn:/var/log$ sudo iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp spt:8023 to:192.168.10.2:22

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

最糟糕的是,我不知道如何解读 iptables 日志。我看不到防火墙的最终决定。

急需帮助。

答案1

为客户机设置第二个虚拟网卡,并将其桥接到br0主机上。

答案2

尝试使用 SSH 的强大功能!编辑您的配置:

vi ~/.ssh/config

Host saturn
    HostName saturn.yourdomain.com # little shortcut

Host guest1
    ProxyCommand ssh -q saturn nc -q0 guest1.internal.name 22 #(or SSH port)

然后,从外部世界,你可以这样做:

ssh myuser@guest1

然后主机就会直接把你扔进去。不要为此而摆弄 iptables。

相关内容