过去几天,我一直在绞尽脑汁试图弄清楚如何允许通过端口 443 和 8443 传入连接到虚拟机。
以下是有关该系统的一些信息。
VM 启动前 ifconfig
ens3 Link encap:Ethernet HWaddr fa:16:3e:7a:fd:c3
inet addr:x.x.x.45 Bcast:x.x.x.45 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1809 errors:0 dropped:0 overruns:0 frame:0
TX packets:1673 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:145652 (145.6 KB) TX bytes:130509 (130.5 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:808 errors:0 dropped:0 overruns:0 frame:0
TX packets:808 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:74740 (74.7 KB) TX bytes:74740 (74.7 KB)
virbr0 Link encap:Ethernet HWaddr 52:54:00:c4:48:90
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:53 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4071 (4.0 KB) TX bytes:6578 (6.5 KB)
virbr1 Link encap:Ethernet HWaddr 52:54:00:9f:72:7f
inet addr:192.168.42.1 Bcast:192.168.42.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:1077 errors:0 dropped:0 overruns:0 frame:0
TX packets:917 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:695843 (695.8 KB) TX bytes:169696 (169.6 KB)
VM 启动后 ifconfig
ens3 Link encap:Ethernet HWaddr fa:16:3e:7a:fd:c3
inet addr:x.x.x.45 Bcast:x.x.x.45 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2026 errors:0 dropped:0 overruns:0 frame:0
TX packets:1902 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:162734 (162.7 KB) TX bytes:153951 (153.9 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1296 errors:0 dropped:0 overruns:0 frame:0
TX packets:1296 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:121712 (121.7 KB) TX bytes:121712 (121.7 KB)
virbr0 Link encap:Ethernet HWaddr 52:54:00:c4:48:90
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:96 errors:0 dropped:0 overruns:0 frame:0
TX packets:73 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7526 (7.5 KB) TX bytes:12615 (12.6 KB)
virbr1 Link encap:Ethernet HWaddr 52:54:00:9f:72:7f
inet addr:192.168.42.1 Bcast:192.168.42.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2118 errors:0 dropped:0 overruns:0 frame:0
TX packets:1792 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1386531 (1.3 MB) TX bytes:333696 (333.6 KB)
vnet0 Link encap:Ethernet HWaddr fe:54:00:ee:5c:d0
inet6 addr: fe80::fc54:ff:feee:5cd0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:43 errors:0 dropped:0 overruns:0 frame:0
TX packets:83 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4057 (4.0 KB) TX bytes:8869 (8.8 KB)
vnet1 Link encap:Ethernet HWaddr fe:54:00:0b:15:eb
inet6 addr: fe80::fc54:ff:fe0b:15eb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1041 errors:0 dropped:0 overruns:0 frame:0
TX packets:936 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:705262 (705.2 KB) TX bytes:167544 (167.5 KB)
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
虚拟机ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:0F:C1:9D:47
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:fff:fec1:9d47/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:230 errors:0 dropped:0 overruns:0 frame:0
TX packets:216 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:19661 (19.2 KiB) TX bytes:28440 (27.7 KiB)
eth0 Link encap:Ethernet HWaddr 52:54:00:EE:5C:D0
inet addr:192.168.122.135 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:feee:5cd0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:63 errors:0 dropped:0 overruns:0 frame:0
TX packets:73 errors:0 dropped:0 overruns:0 carrier:0
collisions:312 txqueuelen:1000
RX bytes:7723 (7.5 KiB) TX bytes:6469 (6.3 KiB)
eth1 Link encap:Ethernet HWaddr 52:54:00:0B:15:EB
inet addr:192.168.42.201 Bcast:192.168.42.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe0b:15eb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:914 errors:0 dropped:0 overruns:0 frame:0
TX packets:759 errors:0 dropped:0 overruns:0 carrier:0
collisions:3960 txqueuelen:1000
RX bytes:157257 (153.5 KiB) TX bytes:690751 (674.5 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:22041 errors:0 dropped:0 overruns:0 frame:0
TX packets:22041 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:40447910 (38.5 MiB) TX bytes:40447910 (38.5 MiB)
veth159e182 Link encap:Ethernet HWaddr 52:8A:03:66:BA:E3
inet6 addr: fe80::508a:3ff:fe66:bae3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:203 errors:0 dropped:0 overruns:0 frame:0
TX packets:205 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:20046 (19.5 KiB) TX bytes:18696 (18.2 KiB)
我已经尝试过以下
iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.122.135:443
iptables -t nat -I PREROUTING -p tcp --dport 8443 -j DNAT --to 192.168.122.135:8443
iptables -I FORWARD -o virbr0 -d 192.168.122.135 -j ACCEPT
也尝试过这个
iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.42.201:443
iptables -t nat -I PREROUTING -p tcp --dport 8443 -j DNAT --to 192.168.42.201:8443
iptables -I FORWARD -o virbr0 -d 192.168.42.201 -j ACCEPT
当我尝试使用 chrome 连接到服务器时,IP 地址会更改为本地 IP 地址。请参阅图片。
有人能帮我找出我做错的地方吗?非常感谢您的帮助。
答案1
您的 Web 应用程序正在执行此操作,而不是防火墙。
由于您在 NAT 后面运行 OpenShift Origin,因此您需要将其设置openshift_master_cluster_public_hostname为可以从外部访问的地址。请参阅文档您可能需要设置其他变量。