我在 192.168.0.4 上有一个 KVM 主机,并为在 192.168.0.9 上运行的一个客户机配备了桥接网络适配器,该客户机已与整个 192.168.0.0/24 网络连接数周。
现在我必须重新启动主机,并且客户虚拟机也重新启动了,但除了主机之外,无法再连接到网络上的任何地方。
我可以从主机连接到它,也可以从客户机连接回 IP 192.168.0.4 上的主机,但是其他任何东西都无法连接。ssh [email protected]
我觉得缺少了某些服务,我需要在主机重启后重启这些服务,以告诉网络适配器桥接外部连接。或者可能是 Docker 网络接口在重启后没有正确初始化防火墙。但我不知道;我该怎么办?
谢谢
KVM 主机的输出
brctl show
bridge name bridge id STP enabled interfaces br-238782ed063f 8000.0242e81a340a no br0 8000.7085c2060a8a no enp5s0 vnet0 docker0 8000.02427d14b9fa no virbr0 8000.52540044738a yes virbr0-nic
ifconfig -a
br0 Link encap:Ethernet HWaddr 70:85:c2:06:0a:8a inet addr:192.168.0.4 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::7285:c2ff:fe06:a8a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1527437 errors:0 dropped:0 overruns:0 frame:0 TX packets:1997661 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:151534896 (151.5 MB) TX bytes:1283893295 (1.2 GB) br-238782ed063f Link encap:Ethernet HWaddr 02:42:e8:1a:34:0a inet addr:172.18.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) docker0 Link encap:Ethernet HWaddr 02:42:7d:14:b9:fa inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) enp5s0 Link encap:Ethernet HWaddr 70:85:c2:06:0a:8a inet6 addr: fe80::7285:c2ff:fe06:a8a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1530168 errors:0 dropped:0 overruns:0 frame:0 TX packets:2147775 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:173382480 (173.3 MB) TX bytes:1293304788 (1.2 GB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:276 errors:0 dropped:0 overruns:0 frame:0 TX packets:276 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:18224 (18.2 KB) TX bytes:18224 (18.2 KB) virbr0 Link encap:Ethernet HWaddr 52:54:00:44:73:8a inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) virbr0-nic Link encap:Ethernet HWaddr 52:54:00:44:73:8a BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) vnet0 Link encap:Ethernet HWaddr fe:54:00:5b:f5:99 inet6 addr: fe80::fc54:ff:fe5b:f599/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15558 errors:0 dropped:0 overruns:0 frame:0 TX packets:20507 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1212123 (1.2 MB) TX bytes:1272954 (1.2 MB)
iptables -L -v -n
Chain INPUT (policy ACCEPT 1448K packets, 144M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 Chain FORWARD (policy DROP 30647 packets, 7648K bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 32553 8091K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 32553 8091K DOCKER-ISOLATION all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * br-238782ed063f 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * br-238782ed063f 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-238782ed063f !br-238782ed063f 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-238782ed063f br-238782ed063f 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 1919K packets, 1241M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68 Chain DOCKER (2 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- br-238782ed063f docker0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- docker0 br-238782ed063f 0.0.0.0/0 0.0.0.0/0 32553 8091K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 32553 8091K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
答案1
问题出在iptables。该FORWARD表不允许任何流量通过br0接口,并且有DROP默认规则。
要解决该问题,您需要清除表中的所有规则并为其FORWARD分配默认策略:ACCEPT
iptables -F FORWARD
iptables -P FORWARD ACCEPT