我在 CentOS 7 上托管了 KVM。我的所有网络配置都是通过 NetworkManager 完成的。我面临的问题是,当从外部网络(即通过 SSH)连接到客户机时,客户机显示的是 KVM 的 IP,而不是我的外部 IP。
访客网络设置为 virbr1,路由到 enp2s0,然后在进入外部网络之前进行 NAT。
KVM 局域网 IP - 192.168.1.1/24
firewall-cmd list-all输出:
external (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source ipset="whitelist" forward-port port="2222" protocol="tcp" to-port="22" to-addr="192.168.1.2"
..
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: virbr0 virbr1
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
systemctl status iptables输出:
Unit iptables.service could not be found.
iptables -vnL输出:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
16402 2196K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2478 130K INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
2477 130K INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
2477 130K INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
17 1068 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
2298 112K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
17830 153M ACCEPT all -- enp2s0 virbr1 0.0.0.0/0 192.168.1.0/24
12801 18M ACCEPT all -- virbr1 enp2s0 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr1 virbr1 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
1 69 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2319 114K FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
2319 114K FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
2319 114K FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
2317 114K FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
2317 114K FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
5 204 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 20270 packets, 15M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT udp -- * virbr1 0.0.0.0/0 0.0.0.0/0 udp dpt:68
20272 15M OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
2319 114K FWDI_external all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_trusted all -- virbr1 * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_trusted all -- virbr0 * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_external all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
2317 114K FWDO_external all -- * enp2s0 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_trusted all -- * virbr1 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_trusted all -- * virbr0 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_external all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_external (2 references)
pkts bytes target prot opt in out source destination
2319 114K FWDI_external_log all -- * * 0.0.0.0/0 0.0.0.0/0
2319 114K FWDI_external_deny all -- * * 0.0.0.0/0 0.0.0.0/0
2319 114K FWDI_external_allow all -- * * 0.0.0.0/0 0.0.0.0/0
2 62 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_external_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW mark match 0x64
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW mark match 0x65
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW mark match 0x66
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW mark match 0x67
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW mark match 0x68
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW mark match 0x69
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW mark match 0x6a
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW mark match 0x6b
Chain FWDI_external_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_external_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_trusted (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_trusted_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_trusted_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_trusted_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDI_trusted_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_trusted_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_trusted_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_external (2 references)
pkts bytes target prot opt in out source destination
2317 114K FWDO_external_log all -- * * 0.0.0.0/0 0.0.0.0/0
2317 114K FWDO_external_deny all -- * * 0.0.0.0/0 0.0.0.0/0
2317 114K FWDO_external_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_external_allow (1 references)
pkts bytes target prot opt in out source destination
2312 113K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain FWDO_external_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_external_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_trusted (2 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_trusted_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_trusted_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_trusted_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FWDO_trusted_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_trusted_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_trusted_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
2415 119K IN_external all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0 [goto]
62 11515 IN_trusted all -- virbr1 * 0.0.0.0/0 0.0.0.0/0
0 0 IN_trusted all -- virbr0 * 0.0.0.0/0 0.0.0.0/0
0 0 IN_external all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
1 60 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 match-set fail2ban-sshd src reject-with icmp-port-unreachable
Chain IN_external (2 references)
pkts bytes target prot opt in out source destination
2415 119K IN_external_log all -- * * 0.0.0.0/0 0.0.0.0/0
2415 119K IN_external_deny all -- * * 0.0.0.0/0 0.0.0.0/0
2415 119K IN_external_allow all -- * * 0.0.0.0/0 0.0.0.0/0
40 2682 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_external_allow (1 references)
pkts bytes target prot opt in out source destination
60 3056 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_external_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_external_log (1 references)
pkts bytes target prot opt in out source destination
Chain IN_trusted (2 references)
pkts bytes target prot opt in out source destination
62 11515 IN_trusted_log all -- * * 0.0.0.0/0 0.0.0.0/0
62 11515 IN_trusted_deny all -- * * 0.0.0.0/0 0.0.0.0/0
62 11515 IN_trusted_allow all -- * * 0.0.0.0/0 0.0.0.0/0
62 11515 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IN_trusted_allow (1 references)
pkts bytes target prot opt in out source destination
Chain IN_trusted_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_trusted_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
nmcli con show virbr1输出(裁剪):
connection.id: virbr1
connection.uuid: 42f97b7c-40f0-4c3a-9a39-cf8d6af8bb12
connection.stable-id: --
connection.type: bridge
connection.interface-name: virbr1
connection.zone: --
connection.master: --
ipv4.method: manual
ipv4.addresses: 192.168.1.1/24
ipv4.gateway: --
ipv4.route-table: 0 (unspec)
GENERAL.STATE: activated
GENERAL.ZONE: --
IP4.ADDRESS[1]: 192.168.1.1/24
IP4.GATEWAY: --
IP4.ROUTE[1]: dst = 192.168.1.0/24, nh = 0.0.0.0, mt = 0