QEMU/KVM 客户虚拟机无法解析 DNS 主机名或来自主机的 SSH/ping

tag-icon tag-icon domain-name-system centos ssh kvm-virtualization qemu
QEMU/KVM 客户虚拟机无法解析 DNS 主机名或来自主机的 SSH/ping

我有一个基于 QEMU/KVM 的虚拟机,装有 CentosOS 6.4,无法完全连接到互联网。我可以 ping IP 地址(例如,ping 8.8.8.8成功工作),但无法解析域名(例如,ping google.com返回ping: unknown host google.com)。

来宾被分配了一个静态 IP,并且我使用默认(基于 NAT)网络:

<network>
  <name>default</name>
  <uuid>8c257186-7af4-4e19-a086-27f50f692af6</uuid>
  <forward mode='nat'/>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:d6:62:2d'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
    </dhcp>
  </ip>
</network>

/run/resolvconf/resolv.conf在 VM 上不存在;并且未安装、、、、、resolvconf或程序,因此运行网络设置诊断的能力受到限制。nslookupsystemctlhosthostnamectlnmcli

我尝试了以下方法:

  • /etc/sysconfig/network-scripts/ifcfg-eth0通过添加DNS1=8.8.8.8DNS2=8.8.4.4和进行编辑PEERDNS=yes。重启后,这将创建/etc/resolv.conf,而这原本是不存在的。
  • 将中的“hosts:files dns”替换为“hosts:files dns nisplus nis” /etc/nsswitch.conf,然后重新启动。
  • 下列的本指南创建仅主机网络。
  • 下列的本指南通过 qemu-bridge-helper 创建虚拟桥。
  • (顺便说一下,我尝试通过以下方式在客户机和主机之间创建文件共享本指南,但这需要 9p,而 CentOS 6 显然与该文件系统不兼容。)

但每次尝试后,主机仍然无法通过 SSH 进入/ping 客户机,客户机也无法解析域名。任何有关完成这两个步骤的帮助(主机可以通过 SSH 访问客户机访客已完全连接到互联网) 将不胜感激。

以下是一些可能有用的文件内容/命令行输出。很高兴提供更多信息。

/etc/resolv.conf(嘉宾)的内容:

options edns0 trust-ad
; generated by /sbin/dhclient-script
nameserver 8.8.8.8
nameserver 8.8.4.4

ip a(来宾)的输出:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever


2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:7b:6c:27 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.92/22 brd 192.168.123.255 scope global eth0
    inet6 fe80::5054fffe7b:6c27/64 scope link
       valid_lft forever preferred_lft forever

ssh 192.168.122.92(主机)的输出:

ssh: connect to host 192.168.122.92 port 22: Connection refused

ping 192.168.122.92(主机)的输出:

PING 192.168.122.92 (192.168.122.92) 56(84) bytes of data.
From 192.168.122.1 icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.122.1 icmp_seq=2 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.122.1 icmp_seq=3 Destination Port Unreachable
ping: sendmsg: Operation not permitted
From 192.168.122.1 icmp_seq=4 Destination Port Unreachable
ping: sendmsg: Operation not permitted
^C
--- 192.168.122.92 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3065ms

编辑1

/etc/sysconfig/network-scripts/ifcfg-eth0(嘉宾)的内容:

DEVICE=eth0
HWADDR=52:54:00:7B:6C:27
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPRONTO=none
IPADDR=192.168.122.92
NETMASK=255.255.252.0
GATEWAY=192.168.122.1
DNS1=8.8.8.8
DNS2=8.8.4.4
PEERDNS=yes

编辑2

iptables-save(主机)的输出:

# Generated by iptables-save v1.8.4 on Mon Jan  3 22:03:26 2022
*mangle
:PREROUTING ACCEPT [86972:77359835]
:INPUT ACCEPT [86966:77359331]
:FORWARD ACCEPT [6:504]
:OUTPUT ACCEPT [87805:9060728]
:POSTROUTING ACCEPT [69226:7583136]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Mon Jan  3 22:03:26 2022
# Generated by iptables-save v1.8.4 on Mon Jan  3 22:03:26 2022
*nat
:PREROUTING ACCEPT [4:1038]
:INPUT ACCEPT [3:954]
:OUTPUT ACCEPT [19614:1550200]
:POSTROUTING ACCEPT [1032:73142]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Mon Jan  3 22:03:26 2022
# Generated by iptables-save v1.8.4 on Mon Jan  3 22:03:26 2022
*filter
:INPUT ACCEPT [86966:77359331]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [69220:7582632]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Mon Jan  3 22:03:26 2022

编辑3

sudo iptables-save(来宾)的输出:

# Generated by iptables-save v1.4.7 on Thu Jan 6 05:53:35 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Jan 6 05:53:35 2022

答案1

以下错误消息ping表明通信被防火墙阻止。

Destination Port Unreachable
ping: sendmsg: Operation not permitted

相关内容