CentOS 7.2.1511 libvirt 防火墙配置

CentOS 7.2.1511 libvirt 防火墙配置

我有一些 CentOS7 设置,其中我使用 iptables 将端口从主机转发到客户机。最近,我更新到了 7.2.1511,似乎 libvirt 坚持让防火墙处于活动状态,而不是直接使用 iptables 命令。

下面是我的虚拟网络 VMmaint 的 XML 配置。 <network connections='11'> <name>VMmaint</name> <uuid>2d218af6-b374-41b3-8a7e-2de7a02e62a9</uuid> <forward dev='em1' mode='nat'> <nat> <port start='1024' end='65535'/> </nat> <interface dev='em1'/> </forward> <bridge name='VMmaint' stp='on' delay='0'/> <mac address='52:54:00:ab:82:15'/> <ip address='192.168.100.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.100.10' end='192.168.100.254'/> <host mac='52:54:00:f7:df:11' ip='192.168.100.11'/> <host mac='52:54:00:f1:bb:18' ip='192.168.100.12'/> <host mac='52:54:00:cf:33:59' ip='192.168.100.13'/> <host mac='52:54:00:57:e2:6a' ip='192.168.100.14'/> <host mac='52:54:00:72:8e:ce' ip='192.168.100.15'/> <host mac='52:54:00:25:3e:34' ip='192.168.100.16'/> <host mac='52:54:00:8a:31:3e' ip='192.168.100.17'/> <host mac='52:54:00:dd:5f:dd' ip='192.168.100.18'/> <host mac='52:54:00:67:0b:fa' ip='192.168.100.19'/> <host mac='52:54:00:0d:37:bd' ip='192.168.100.20'/> <host mac='52:54:00:a5:7a:02' ip='192.168.100.21'/> <host mac='52:54:00:e2:8d:94' ip='192.168.100.22'/> <host mac='52:54:00:12:fb:15' ip='192.168.100.23'/> <host mac='52:54:00:01:cb:98' ip='192.168.100.24'/> <host mac='52:54:00:b0:d5:04' ip='192.168.100.25'/> <host mac='52:54:00:6c:bf:9e' ip='192.168.100.26'/> <host mac='52:54:00:d4:cc:5a' ip='192.168.100.27'/> <host mac='52:54:00:6e:1d:8d' ip='192.168.100.28'/> <host mac='52:54:00:aa:31:17' ip='192.168.100.29'/> <host mac='52:54:00:42:d8:e5' ip='192.168.100.30'/> <host mac='52:54:00:28:15:d5' ip='192.168.100.31'/> <host mac='52:54:00:99:56:a1' ip='192.168.100.32'/> <host mac='52:54:00:7a:e6:09' ip='192.168.100.33'/> <host mac='52:54:00:2a:fe:67' ip='192.168.100.34'/> <host mac='52:54:00:f1:95:37' ip='192.168.100.35'/> <host mac='52:54:00:a9:4f:92' ip='192.168.100.36'/> <host mac='52:54:00:ee:7d:40' ip='192.168.100.37'/> <host mac='52:54:00:51:40:33' ip='192.168.100.38'/> <host mac='52:54:00:b1:0c:6e' ip='192.168.100.39'/> <host mac='52:54:00:2f:9f:ad' ip='192.168.100.40'/> <host mac='52:54:00:c6:7e:1c' ip='192.168.100.41'/> <host mac='52:54:00:6f:96:82' ip='192.168.100.42'/> <host mac='52:54:00:e4:a8:b0' ip='192.168.100.43'/> <host mac='52:54:00:4f:c6:97' ip='192.168.100.44'/> <host mac='52:54:00:e2:1a:36' ip='192.168.100.45'/> <host mac='52:54:00:bd:59:03' ip='192.168.100.46'/> <host mac='52:54:00:f2:ca:f0' ip='192.168.100.47'/> <host mac='52:54:00:f4:35:85' ip='192.168.100.48'/> <host mac='52:54:00:c6:2f:84' ip='192.168.100.49'/> <host mac='52:54:00:e7:74:a4' ip='192.168.100.50'/> </dhcp> </ip> </network>

但是,一旦网络处于活动状态,我就会看到 /var/log/firewalld 中出现以下内容

2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table mangle --delete POSTROUTING --out-interface VMmaint --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' failed: iptables: No chain/target/match by that name. 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --destination 192.168.100.0/24 --in-interface em1 --out-interface VMmaint --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --source 192.168.100.0/24 --in-interface VMmaint --out-interface em1 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --in-interface VMmaint --out-interface VMmaint --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --out-interface VMmaint --jump REJECT' failed: iptables: No chain/target/match by that name. 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --in-interface VMmaint --jump REJECT' failed: iptables: No chain/target/match by that name. 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface VMmaint --protocol udp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface VMmaint --protocol tcp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete OUTPUT --out-interface VMmaint --protocol udp --destination-port 68 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface VMmaint --protocol udp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface VMmaint --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

似乎 libvirtd 中的某些默认配置与防火墙交互不佳。我想学习通过 libvirt 进行配置的正确方法,而无需单独运行任何脚本。morganyang1982

发帖数:2 加入时间:2016/03/18 13:50:52

答案1

其中可能涉及恶意的firewalld进程,类似于:添加 http 时出现firewalld 错误

尝试停止防火墙,终止所有剩余的firewalld 进程,然后重新启动。

systemctl stop firewalld
pkill -f firewalld
systemctl start firewalld

更一般地说:禁用firewalld并使用bash脚本或类似shorewall的工具来推出自己的防火墙是完全有效的。

相关内容