我在 qemu 中设置了 2 个虚拟机。其中一个虚拟机 (VM1) 有一个到互联网的链接,还有一个到另一个虚拟机 (VM2) 的链接。在 VM1 上,我获得了良好的网络性能结果(到 wan):
Connecting to host iperf.xxx, port 5201
[ 5] local xxx port 40826 connected to xxx port 5201
[ 7] local xxx port 40828 connected to xxx port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-10.00 sec 353 MBytes 296 Mbits/sec 337 93.3 KBytes
[ 7] 0.00-10.00 sec 359 MBytes 301 Mbits/sec 339 122 KBytes
[SUM] 0.00-10.00 sec 712 MBytes 597 Mbits/sec 676
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 353 MBytes 296 Mbits/sec 337 sender
[ 5] 0.00-10.00 sec 353 MBytes 296 Mbits/sec receiver
[ 7] 0.00-10.00 sec 359 MBytes 301 Mbits/sec 339 sender
[ 7] 0.00-10.00 sec 358 MBytes 300 Mbits/sec receiver
[SUM] 0.00-10.00 sec 712 MBytes 597 Mbits/sec 676 sender
[SUM] 0.00-10.00 sec 711 MBytes 596 Mbits/sec receiver
在 VM1 上,我在 Sysctl 中启用了 IpForward,并且 VM2 具有到 VM1 的默认路由。但是在 VM2 上运行相同的 iperf 测试时,我得到了以下结果:
Connecting to host iperf.xxx, port 5201
[ 5] local 10.5.5.2 port 53188 connected to xxx port 5201
[ 7] local 10.5.5.2 port 53190 connected to xxx port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-10.01 sec 631 KBytes 516 Kbits/sec 6 1.41 KBytes
[ 7] 0.00-10.01 sec 731 KBytes 598 Kbits/sec 20 1.41 KBytes
[SUM] 0.00-10.01 sec 1.33 MBytes 1.11 Mbits/sec 26
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.01 sec 631 KBytes 516 Kbits/sec 6 sender
[ 5] 0.00-10.01 sec 281 KBytes 230 Kbits/sec receiver
[ 7] 0.00-10.01 sec 731 KBytes 598 Kbits/sec 20 sender
[ 7] 0.00-10.01 sec 431 KBytes 353 Kbits/sec receiver
[SUM] 0.00-10.01 sec 1.33 MBytes 1.11 Mbits/sec 26 sender
[SUM] 0.00-10.01 sec 713 KBytes 583 Kbits/sec receiver
可以看出,这是一个非常大的区别。出于自然反应,我在 VM1(服务器)和 VM2(客户端)之间启动了 iperf,结果如下:
Connecting to host 10.5.5.1, port 5201
[ 5] local 10.5.5.2 port 49408 connected to 10.5.5.1 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 1.01 MBytes 8.46 Mbits/sec 31 1.41 KBytes
[ 5] 1.00-2.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes
[ 5] 2.00-3.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 3.00-4.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes
[ 5] 4.00-5.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 5.00-6.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 6.00-7.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes
[ 5] 7.00-8.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 8.00-9.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 9.00-10.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 1.01 MBytes 847 Kbits/sec 34 sender
[ 5] 0.00-10.00 sec 523 KBytes 429 Kbits/sec receiver
我似乎觉得数据包在建立后就被丢弃了,因为第一秒一切都很好,但之后连接似乎就断了。
我目前没有其他选择,甚至接受了 VM1 防火墙中的所有流量。VM1 上的输出iptables -nvL --line-numbers:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 602K 34M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
2 2428K 275M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 1 84 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 6 360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5201
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 ctstate NEW
6 5 308 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 ctstate NEW
7 3 140 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 flags:0x17/0x02 ctstate NEW
8 132 5288 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 593 24128 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp reject-with tcp-reset
10 81 24010 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
11 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5201
12 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5201
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 137K 298M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
2 1758 106K ACCEPT tcp -- * * 0.0.0.0/0 10.5.5.2 tcp dpt:22
3 97425 322M ACCEPT all -- * enp1s5 0.0.0.0/0 10.5.5.0/24 ctstate RELATED,ESTABLISHED
4 41400 6022K ACCEPT all -- enp1s5 * 10.5.5.0/24 0.0.0.0/0
5 0 0 ACCEPT all -- enp1s5 enp1s5 0.0.0.0/0 0.0.0.0/0
6 0 0 REJECT all -- enp1s5 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
7 0 0 REJECT all -- * enp1s5 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 383K 2483M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
nat 表如下iptables -t nat -nvL --line-numbers:
Chain PREROUTING (policy ACCEPT 2246 packets, 141K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT tcp -- * * 0.0.0.0/0 xxx tcp dpt:2243 to:10.5.5.2:22
2 1 64 DNAT tcp -- * * 0.0.0.0/0 xxx tcp dpt:2246 to:10.5.5.2:22
Chain INPUT (policy ACCEPT 1330 packets, 77280 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 355 packets, 18693 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 949 packets, 42477 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- * * 10.5.5.0/24 224.0.0.0/24
2 0 0 RETURN all -- * * 10.5.5.0/24 255.255.255.255
3 242 15138 MASQUERADE all -- * * 10.5.5.0/24 !10.5.5.0/24
(顺便说一下,这是在 vm1 上启用了 2 个端口转发到 vm2 上的端口 22)
如上所述,我别无选择。您对如何继续进行故障排除有什么建议吗?