docker 内的 KVM windows vm 无法访问互联网

tag-icon tag-icon linux windows iptables docker kvm-virtualization
docker 内的 KVM windows vm 无法访问互联网

我正在尝试在docker中使用kvm,灵感来自一篇文章(https://medium.com/axon-technologies/installing-a-windows-virtual-machine-in-a-linux-docker-container-c78e4c3f9ba1) 显示了如何在虚拟机上启用 3389,该虚拟机位于 docker 内部,以便从主机访问。这可行,但我想更进一步,允许从虚拟机访问互联网。有人能帮我吗?这是我正在尝试运行的当前脚本:

set -eou pipefail

chown root:kvm /dev/kvm
service libvirtd start
service virtlogd start
VAGRANT_DEFAULT_PROVIDER=libvirt vagrant up
VAGRANT_ADDRESS=$(vagrant address default)

iptables-save > $HOME/firewall.txt
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -A FORWARD -i eth0 -o virbr1 -p tcp --syn --dport 3389 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -i eth0 -o virbr1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i virbr1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-destination ${VAGRANT_ADDRESS}
iptables -t nat -A POSTROUTING -o virbr1 -p tcp --dport 3389 -d ${VAGRANT_ADDRESS} -j SNAT --to-source 192.168.121.1


iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination ${VAGRANT_ADDRESS}
iptables -t nat -A POSTROUTING -o virbr1 -p tcp --dport 80 -d ${VAGRANT_ADDRESS} -j SNAT --to-source 192.168.121.1

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination ${VAGRANT_ADDRESS}
iptables -t nat -A POSTROUTING -o virbr1 -p tcp --dport 443 -d ${VAGRANT_ADDRESS} -j SNAT --to-source 192.168.121.1

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination ${VAGRANT_ADDRESS}
iptables -t nat -A POSTROUTING -o virbr1 -p udp --dport 53 -d ${VAGRANT_ADDRESS} -j SNAT --to-source 192.168.121.1


iptables -D FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
iptables -D FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
iptables -D FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
iptables -D FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable

exec "$@"

我可以从容器内部访问互联网,但 Windows kvm 盒不能。

答案1

在谷歌搜索并尝试了很多不同的方法后,这个方法奏效了:

sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

相关内容