我有一个用 libvirt 管理的虚拟机,它的服务在端口 9100 上运行。我想将虚拟机的端口转发到主机,这样如果我访问localhost:9100
,我将被重定向到虚拟机。
我都试过了https://wiki.libvirt.org/page/Networking以及以下 iptables 规则,但均不起作用。
iptables -t nat -I PREROUTING -p tcp -d 127.0.0.1 --dport 9100 -j DNAT --to-destination 192.168.122.138:9100
iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
以下是更多信息
$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 04:d4:c4:55:18:69 brd ff:ff:ff:ff:ff:ff
3: wlo1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DORMANT group default qlen 1000
link/ether fc:77:74:c8:8e:76 brd ff:ff:ff:ff:ff:ff
4: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:0c:2c:a9 brd ff:ff:ff:ff:ff:ff
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:0c:2c:a9 brd ff:ff:ff:ff:ff:ff
6: br-170b28482f3f: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 02:42:22:bc:33:d1 brd ff:ff:ff:ff:ff:ff
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:6c:29:bc:7e brd ff:ff:ff:ff:ff:ff
9: veth38ec9fc@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-170b28482f3f state UP mode DEFAULT group default
link/ether d2:1b:07:3c:85:5e brd ff:ff:ff:ff:ff:ff link-netnsid 0
11: veth602c005@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-170b28482f3f state UP mode DEFAULT group default
link/ether 8a:b0:56:bf:47:db brd ff:ff:ff:ff:ff:ff link-netnsid 1
12: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether fe:54:00:c4:ca:05 brd ff:ff:ff:ff:ff:ff
$ virsh net-dumpxml default
<network>
<name>default</name>
<uuid>f16acad2-01b5-473b-96ae-0c2c17a9717b</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:0c:2c:a9'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
答案1
例如,假设我们需要将主机上端口 9867 的传入连接转发到客户机上的端口 22。以下是实现该目标所需的规则:
# connections from outside
$ iptables -I FORWARD -o virbr1 -d 192.168.111.36 -j ACCEPT
$ iptables -t nat -I PREROUTING -p tcp --dport 9867 -j DNAT --to 192.168.111.36:22
# Masquerade local subnet
$ iptables -I FORWARD -o virbr1 -d 192.168.111.36 -j ACCEPT
$ iptables -t nat -A POSTROUTING -s 192.168.111.0/24 -j MASQUERADE
$ iptables -A FORWARD -o virbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ iptables -A FORWARD -i virbr1 -o eth0 -j ACCEPT
$ iptables -A FORWARD -i virbr1 -o lo -j ACCEPT
其中 virbr1 是 192.168.111.0/24 子网中的接口,eth0 是具有公共 IP 地址的接口。
现在我们已经设置了端口转发,我们可以将其保存到我们的永久规则集并加载规则集:$ service netfilter-persistent save
$ service netfilter-persistent reload
现在,测试您的虚拟机是否可以通过防火墙的公共 IP 地址访问:
$ ssh 用户@PUBLIC_IP -p 9867