为了说明这一点,我安装了Ubuntu 17.04并安装虚拟机然后成功配置了 Windows Server 2016 标准虚拟机。网络/互联网访问方面一切都运行良好,直到今天早上我注意到在浏览器中导航时无法访问某些网站。我找到了问题的根源,但我对iptables是最小的,经过无数个小时的研究,我仍然没有弄明白。
以下是该问题的影响。
- HTTP年代网站有效。
- HTTP 网站无法运行(ERR_CONNECTION_TIMED_OUT)
- 我的 HTTP IIS 网站确实可以运行,并且可以从任何地方访问
我在主机和客户机之间使用 NAT 连接。我使用/etc/libvirt/钩子/qemu他们提供的脚本来转发端口,我找到了问题的根源(下文编号 1 和 2)
编辑:我把它们放在这里以便看得更清楚:
1- sbin/iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to $GUEST_IP:80
2- sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination $GUEST_IP:80
我已经分别尝试了它们两个,它们工作了一会儿,然后我就无法再访问 http 网站,但我的网络服务器仍然可以访问。
我将不胜感激任何能够解决此问题的帮助或新的/不同的规则。
#!/bin/bash
if [ "${1}" = "VM-NAME" ]; then
GUEST_IP=10.0.0.5
# currently not used anywhere
HOST_IP=1.2.3.4
# CURRENTLY NOT USED, use as $HOST_PORT or $GUEST_PORT
#GUEST_PORT=3389
#HOST_PORT=1338
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -D FORWARD -o virbr0 -d $GUEST_IP -j ACCEPT
##/sbin/iptables -I FORWARD -m state 10.0.0.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
#### RDP [tcp/udp] [Host:1338 -> VM:3389]
/sbin/iptables -t nat -D PREROUTING -p tcp --dport 1338 -j DNAT --to $GUEST_IP:3389
/sbin/iptables -t nat -D PREROUTING -p udp --dport 1338 -j DNAT --to $GUEST_IP:3389
#### HTTP [tcp] [Host:80 -> VM:80]
1- ##/sbin/iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to $GUEST_IP:80
2 -##/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination $GUEST_IP:80
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -I FORWARD -o virbr0 -d $GUEST_IP -j ACCEPT
##/sbin/iptables -I FORWARD -m state 10.0.0.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
#### RDP [tcp/udp] [Host:1338 -> VM:3389]
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 1338 -j DNAT --to $GUEST_IP:3389
/sbin/iptables -t nat -I PREROUTING -p udp --dport 1338 -j DNAT --to $GUEST_IP:3389
#### HTTP [tcp] [Host:80 -> VM:80]
1- ##/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to $GUEST_IP:80
2- ##/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination $GUEST_IP:80
fi
fi
如果您需要的话,我的 ifconfg 如下。我认为 virbr0 是主机和虚拟机之间的桥梁,而 vmnet0 仅在虚拟机运行时出现。(我不太明白为什么 vnet0 仅适用于 ipv6)
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet <my ipv4> netmask 255.255.255.0 broadcast <my ipv4>.255
inet6 <my ipv6> prefixlen 128 scopeid 0x0<global>
inet6 <my ipv6> prefixlen 64 scopeid 0x20<link>
ether 4c:72:b9:43:f0:e5 txqueuelen 1000 (Ethernet)
RX packets 18640 bytes 2965981 (2.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16930 bytes 3893649 (3.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xfe500000-fe520000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 164 bytes 33947 (33.9 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 164 bytes 33947 (33.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255
ether 52:54:00:62:88:21 txqueuelen 1000 (Ethernet)
RX packets 10302 bytes 2798316 (2.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9209 bytes 1691107 (1.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::fc7f:f3ff:fe5e:e777 prefixlen 64 scopeid 0x20<link>
ether fe:7f:f3:5e:e7:77 txqueuelen 1000 (Ethernet)
RX packets 10302 bytes 2942544 (2.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13079 bytes 1893103 (1.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0