从主机到 LXC 容器转发端口的标准方法是什么?

tag-icon tag-icon lxc
从主机到 LXC 容器转发端口的标准方法是什么?

我正在研究 LXC 容器。当我做 verth 网络时,libvirtd创建了一些 iptables 规则:

[root@VM ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 61 packets, 6229 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            10.0.0.0/24          ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       10.0.0.0/24          0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 34 packets, 4693 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68

和 NAT:

[root@VM ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 5 packets, 812 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 5 packets, 812 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1 packets, 72 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1 packets, 72 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       10.0.0.0/24          224.0.0.0/24        
    0     0 RETURN     all  --  *      *       10.0.0.0/24          255.255.255.255     
    0     0 MASQUERADE  tcp  --  *      *       10.0.0.0/24         !10.0.0.0/24          masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       10.0.0.0/24         !10.0.0.0/24          masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       10.0.0.0/24         !10.0.0.0/24

我知道我可以通过以下方式转发端口:

iptables -t nat -A PREROUTING -p tcp -i enp0s3 --dport 81 -j DNAT --to-destination 10.0.0.10:22

iptables -I FORWARD -p tcp -d 10.0.0.10 --dport 22 -j ACCEPT

重要的是我需要在链的顶部注入第二条规则。

我想知道,如何以“标准”方式进行端口转发。我尝试使用钩子,但钩子从未被调用。

我尝试如下:

  • /etc/libvirt/钩子/qemu
  • /etc/libvirt/钩子/lxc
  • /etc/libvirt/钩子/qemu
  • /etc/libvirt/hook/lxc

相关内容