KVM-libvirt qemu 脚本在 iptables 中产生重复

tag-icon tag-icon iptables kvm-virtualization centos7 libvirt
KVM-libvirt qemu 脚本在 iptables 中产生重复

操作系统:CentOS 7

防火墙:iptables

libvirt: 1.2.17

问题:我使用指南将主机的端口转发到客户机。指南链接:http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections

当我激活该脚本时,它运行良好,但它也会在 iptables 中为常规规则和 nat 规则生成重复的行。

我该如何修复它?

脚本示例(未作任何更改的标准脚本,我从 libvirt 站点获取。似乎脚本有错误):

Guest_name=crm-server
Guest_ipaddr=192.168.122.2
Host_ipaddr=1.1.1.1
Host_port=(  '1022' '1022' )
Guest_port=( '22' '22' )

length=$(( ${#Host_port[@]} - 1 ))
if [ "${1}" = "${Guest_name}" ]; then
   if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               iptables -t nat -D PREROUTING -d ${Host_ipaddr} -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -D FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT
       done
   fi
   if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
       for i in `seq 0 $length`; do
               iptables -t nat -A PREROUTING -d ${Host_ipaddr} -p tcp --dport ${Host_port[$i]} -j DNAT --to ${Guest_ipaddr}:${Guest_port[$i]}
               iptables -I FORWARD -d ${Guest_ipaddr}/32 -p tcp -m state --state NEW -m tcp --dport ${Guest_port[$i]} -j ACCEPT
       done
   fi
fi

防火墙规则示例:

[root@TOTORO ~]# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A FORWARD -d 192.168.122.2/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 192.168.122.2/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT

正如你所看到的,有双线

-A FORWARD -d 192.168.122.2/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

相关内容