我有一个混合配置的 Dom0:设置了桥接网络和 NAT。有一个 NIC 连接到互联网(还有 3 个未使用的)。
这是我的接口文件:
# The primary network interface
iface eth0 inet manual
auto xenbr0
iface xenbr0 inet static
bridge_ports eth0
address 83.149.69.150
gateway 83.149.69.190
netmask 255.255.255.192
iface xenbr0 inet6 static
address 2001:1AF8:3100:A00A:21::0000
netmask 64
gateway 2001:1AF8:3100:A00A::1
这是其中一个虚拟机(domU)的 xen 配置文件中的 vif 行:
vif = [ 'ip=83.149.69.154,mac=00:16:3E:5E:96:D7,script=vif-bridge,bridge=xenbr0', 'ip=172.16.1.20,mac=00:16:3E:5E:96:D8' ]
这会导致 domU 上出现两个接口:
eth0 Link encap:Ethernet HWaddr 00:16:3e:5e:96:d7
inet addr:83.149.69.154 Bcast:83.149.69.191 Mask:255.255.255.192
inet6 addr: 2001:1af8:3100:a00a:21::4/64 Scope:Global
inet6 addr: fe80::216:3eff:fe5e:96d7/64 Scope:Link
[...]
eth1 Link encap:Ethernet HWaddr 00:16:3e:5e:96:d8
inet addr:172.16.1.20 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::216:3eff:fe5e:96d8/64 Scope:Link
[...]
但是,与这些虚拟机建立的任何连接似乎都源自 Dom0(公共)IP。我指的是与 nginx、apache、ssh、openvpn 等的连接。连接客户端始终是83.149.69.150(= 反向 DNS aleph.rootspirit.com:)
例如who:
# who
root pts/0 2014-06-14 14:47 (aleph.rootspirit.com)
或 openvpn (检查所有83.149.69.150地址):
OpenVPN CLIENT LIST
Updated,Sat Jun 14 14:51:12 2014
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
broserv,83.149.69.150:49545,356124,137293,Sat Jun 14 14:13:26 2014
pi,83.149.69.150:56293,322082,214456,Sat Jun 14 14:13:35 2014
heartbeat,83.149.69.150:42122,549631,1264272,Sat Jun 14 14:13:26 2014
industry,83.149.69.150:37885,759137,365405,Sat Jun 14 14:13:06 2014
是什么导致了这种奇怪的行为?
编辑:
我的里面有这个iptables:
iptables -t nat -A POSTROUTING -o xenbr0 -j MASQUERADE
当我删除该行时,它可以正常工作:
# who
root pts/0 2014-06-14 19:39 (213.219.144.38.adsl.dyn.edpnet.net)
但是,仅通过 NAT 运行的虚拟机无法再访问互联网:
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms
iptables:
aleph /etc # iptables -L -nv
Chain INPUT (policy ACCEPT 3321 packets, 5903K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 1677 packets, 117K bytes)
pkts bytes target prot opt in out source destination
14511 3725K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
18653 3752K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 1887 packets, 4659K bytes)
pkts bytes target prot opt in out source destination
aleph /etc # iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 1365 packets, 96941 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:12223 to:172.16.1.1:22
2 124 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:25 to:172.16.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:53 to:172.16.1.1
558 38901 DNAT udp -- * * 0.0.0.0/0 83.149.69.128/26 udp dpt:53 to:172.16.1.1
2 128 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:465 to:172.16.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:4950 to:172.16.1.1
7 420 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:110 to:172.16.1.1
2 104 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:143 to:172.16.1.1
12 720 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:993 to:172.16.1.1
4 208 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:995 to:172.16.1.1
2 104 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:21 to:172.16.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:2121 to:172.16.1.2:21
0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:20 to:172.16.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:4951 to:172.16.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpts:50000:51000 to:172.16.1.2
5 300 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:12222 to:172.16.1.2:22
Chain INPUT (policy ACCEPT 48 packets, 2802 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 58 packets, 3688 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 637 packets, 43589 bytes)
pkts bytes target prot opt in out source destination
1320 94863 MASQUERADE all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
答案1
发生这种情况是因为您的 Dom0 没有任何用于私有网络的接口。
您应该为内部和公共 IP 地址设置单独的网桥。
像这样:
auto xenbr0
iface xenbr0 inet static
bridge_ports eth0
address 83.149.69.150
gateway 83.149.69.190
netmask 255.255.255.192
iface xenbr0 inet6 static
address 2001:1AF8:3100:A00A:21::0000
netmask 64
gateway 2001:1AF8:3100:A00A::1
iface dummy0 inet manual
auto xenbr1
iface xenbr1 inet static
bridge_ports dummy0
address 172.16.1.19
netmask 255.255.255.0
然后分别在您的 domU 配置中:
vif = [ 'ip=83.149.69.154,mac=00:16:3E:5E:96:D7,script=vif-bridge,bridge=xenbr0', 'ip=172.16.1.20,mac=00:16:3E:5E:96:D8,bridge=xenbr1' ]
这样,您的 dom0 在内部网络和公共网络中都会拥有单独的 IP 地址。
编辑:除了上述配置之外,请使用以下 NAT 规则:
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o xenbr0 -j SNAT --to-source 83.149.69.150