我在 OVM 硬件上设置了 Proxmox 主机,并使用桥接设置。但是,由于这需要在 Guest 上编辑配置文件才能正常工作,因此在实际安装过程中会出现错误,导致没有创建接口文件或缺少 resolv.conf 等问题。
我试图通过在 Guest 安装期间添加基于 NAT 的接口来解决这个问题。但是,我遇到了问题,Guest VM 可以通过 IP 访问外部服务器,但不能通过名称访问。
这是主机上的网络配置:
# for Routing
auto vmbr1
iface vmbr1 inet static
address 192.168.0.1
netmask 255.255.255.0
#post-up /etc/pve/kvm-networking.sh
bridge_ports none
bridge_stp off
bridge_fd 0
post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -F
# vmbr0: Bridging. Make sure to use only MAC adresses that were assigned to you.
auto vmbr0
iface vmbr0 inet static
address 192.99.36.XXX
netmask 255.255.255.0
network 192.99.36.0
broadcast 192.99.36.255
gateway 192.99.36.254
bridge_ports eth0
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/conf/vmbr0/forwarding
post-up echo 1 > /proc/sys/net/ipv4/conf/vmbr0/proxy_arp
我还在主机上启用了 IP 转发和 ARP 代理:
# cat /proc/sys/net/ipv4/ip_forward
1
# cat /proc/sys/net/ipv4/conf/all/proxy_arp
1
为了使 DNS 正常工作,我向 iptables 添加了许多规则。以下是主机的 iptables 输出:
Chain INPUT (policy ACCEPT 5344 packets, 2016K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.0/24 udp spt:53 dpts:1024:65535 state ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.0/24 tcp spt:53 dpts:1024:65535 state ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 192.168.0.0/24 0.0.0.0/0 udp dpt:53 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:53 state NEW,ESTABLISHED
Chain OUTPUT (policy ACCEPT 5141 packets, 2302K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:53 state NEW,ESTABLISHED
Chain PREROUTING (policy ACCEPT 60270 packets, 7555K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 53578 packets, 11M bytes)
pkts bytes target prot opt in out source destination
5 420 MASQUERADE all -- * vmbr0 192.168.0.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 53578 packets, 11M bytes)
pkts bytes target prot opt in out source destination
启动 Guest VM 后,以下是 Guest 中 ping/nslookup 的输出:
这是 Guest 的 ifconfig 输出:
运行 nslookup 时,Guest 级别的 tcpdump 的输出如下所示:
主机级别的 tcpdump 的输出非常相似,但我还是将其包括出来以供参考:
# tcpdump -n -tttt -i vmbr1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmbr1, link-type EN10MB (Ethernet), capture size 65535 bytes
2014-04-20 08:38:48.013775 ARP, Request who-has 192.168.0.1 tell 192.168.0.101, length 28
2014-04-20 08:38:48.013796 ARP, Reply 192.168.0.1 is-at 56:6a:38:7c:1b:0a, length 28
2014-04-20 08:38:48.013860 IP 192.168.0.101.41572 > 192.168.0.1.53: 54954+ A? google.com. (28)
2014-04-20 08:38:48.013884 IP 192.168.0.1 > 192.168.0.101: ICMP 192.168.0.1 udp port 53 unreachable, length 64
2014-04-20 08:38:53.013443 ARP, Request who-has 192.168.0.101 tell 192.168.0.1, length 28
2014-04-20 08:38:53.013594 ARP, Reply 192.168.0.101 is-at de:0a:bd:d1:82:19, length 28
2014-04-20 08:38:53.013676 IP 192.168.0.101.41572 > 192.168.0.1.53: 54954+ A? google.com. (28)
2014-04-20 08:38:53.013701 IP 192.168.0.1 > 192.168.0.101: ICMP 192.168.0.1 udp port 53 unreachable, length 64
2014-04-20 08:38:56.810432 IP 0.0.0.0 > 224.0.0.1: igmp query v2
2014-04-20 08:38:56.810433 IP6 23dc:26d9:f488:a50d:100:: > ff02::1: HBH ICMP6, multicast listener querymax resp delay: 1000 addr: ::, length 24
2014-04-20 08:38:58.013733 IP 192.168.0.101.41572 > 192.168.0.1.53: 54954+ A? google.com. (28)
2014-04-20 08:38:58.013758 IP 192.168.0.1 > 192.168.0.101: ICMP 192.168.0.1 udp port 53 unreachable, length 64
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel
如果有人能告诉我我做错了什么以及如何解决它,我将不胜感激!