我正在尝试按照本教程设置 KVM 虚拟机: https://sandilands.info/sgordon/linux-servers-as-kvm-virtual-machines
我无法正确配置防火墙/NAT。如果我正确理解了本教程,IP 192.168.1.100 应该转发到 192.168.122.100。但我收到“连接被拒绝”错误。你能告诉我我做错了什么吗?
边注:
- 192.168.1.10 与本教程中的 192.168.1.2 相同,
- 192.168.1.100 与教程中的 192.168.1.10 相同
我的接口配置(ifconfig 输出):
enp1s0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/xx Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:xxxxxx errors:0 dropped:0 overruns:0 frame:0
TX packets:yyyyyy errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:569834067 (569.8 MB) TX bytes:33729447 (33.7 MB)
enp1s0:0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
我应用的 iptable 规则:
sudo iptables -t nat -I PREROUTING -d 192.168.1.100 -j DNAT --to-destination 192.168.122.100
sudo iptables -t nat -I POSTROUTING -s 192.168.122.100 -j SNAT --to-source 192.168.1.100
sudo iptables -I FORWARD -p tcp -d 192.168.122.100 --dport 22 -j ACCEPT
sudo iptables -I FORWARD -p tcp -d 192.168.122.100 --dport 80 -j ACCEPT
测试连接。连接被拒绝。
$ telnet 192.168.1.100 80
Trying 192.168.1.100...
telnet: Unable to connect to remote host: Connection refused
答案1
从同一台机器连接时,链DNAT中的规则PREROUTING不会被执行。当充当路由器时,它会影响通过主机的流量。您需要在链中添加DNAT规则。OUTPUT
您可以尝试添加如下规则并重新进行测试:
sudo iptables -t nat -I OUTPUT -d 192.168.1.100 -j DNAT --to-destination 192.168.122.100