我有一个主机和客户虚拟机 (VirtualBox),它们使用 NAT 网络,网络接口如下。
如何跟踪来自本地 IP10.0.2.15 即访客 IP回到主持人?
主持人
Ubuntu
ip route show
default via 192.168.68.1 dev wlp0s20f3 proto dhcp metric 600
169.254.0.0/16 dev docker0 scope link metric 1000 linkdown
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.56.0/24 dev vboxnet0 proto kernel scope link src 192.168.56.1
192.168.68.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.68.104 metric 600
这里192.168.56.0/24是 VirtualBox 的接口
客人
也可以通过 VirtualBox VM 使用 Ubuntu
vagrant@master:~$ ip route show
default via 10.0.2.2 dev enp0s3 proto dhcp src 10.0.2.15 metric 100
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15
10.0.2.2 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
192.168.56.0/24 dev enp0s8 proto kernel scope link src 192.168.56.10
vagrant@master:~$ ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::cf:fdff:feba:3806 prefixlen 64 scopeid 0x20<link>
ether 02:cf:fd:ba:38:06 txqueuelen 1000 (Ethernet)
RX packets 53179 bytes 67713452 (67.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11030 bytes 941487 (941.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.10 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::a00:27ff:fecd:ad09 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:cd:ad:09 txqueuelen 1000 (Ethernet)
RX packets 79 bytes 9158 (9.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 83 bytes 7254 (7.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 352 bytes 22658 (22.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 352 bytes 22658 (22.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
虚拟盒通过 VirtualBox 的 NAT 网络将 SSH 流量从 2222主机重定向到客户机的 ssh 端口。22
通过 ssh 流量沙克一旦通过以下方式启动新的 ssh 连接,就会从 10.0.2.2 显示在 10.0.2.15 上
vagrant ssh master
tshark 输出:-
vagrant@master:~$ sudo tshark -i enp0s3 -E header=y
Running as user "root" and group "root". This could be dangerous.
Capturing on 'enp0s3'
1 0.000000000 10.0.2.2 → 10.0.2.15 SSH 90 Client: Encrypted packet (len=36)
2 0.000717886 10.0.2.15 → 10.0.2.2 SSH 90 Server: Encrypted packet (len=36)
3 0.000972600 10.0.2.2 → 10.0.2.15 TCP 60 37672 → 22 [ACK] Seq=37 Ack=37 Win=65535 Len=0
4 0.263247999 10.0.2.15 → 10.0.2.2 SSH 178 Server: Encrypted packet (len=124)
5 0.263826882 10.0.2.2 → 10.0.2.15 TCP 60 56982 → 22 [ACK] Seq=1 Ack=125 Win=65535 Len=0
6 0.733596788 10.0.2.2 → 10.0.2.15 SSH 90 Client: Encrypted packet (len=36)
7 0.733862097 10.0.2.15 → 10.0.2.2 SSH 106 Server: Encrypted packet (len=52)
8 0.734013429 10.0.2.2 → 10.0.2.15 TCP 60 37672 → 22 [ACK] Seq=73 Ack=89 Win=65535 Len=0
我希望能够看到主机上的网络数据包以及路由是如何发生的。
答案1
我假设 192.168.68.104:2222 是由 VirtualBox 进程打开的(您可以使用 来验证lsof -i TCP -Pn | grep LISTEN)。
严格地回答您的问题 - 您可以获取 VirtualBox 打开的端口列表(上面的咒语)并在其上嗅探数据包,但这仅显示远程方发起的流量。
更好的方法是将另一个 IP 添加到 wlp0s20f3 接口,并在其接口 (vboxnet0) 上对专用 VM IP (192.168.56.10) 进行一对一 NAT。这样,VM 就可以在主机上获得自己的 IP 地址:
# HOST
# enable routing if it is not enabled already
sysctl net.ipv4.ip_forward=1
# add another IP to your external-facing interface; make sure this IP is not used
ip addr add 192.168.68.99/24 dev wlp0s20f3
# enable NATting for incoming traffic
iptables -t nat -A PREROUTING -d 192.168.68.99 -j DNAT --to 192.168.56.10
# enable NATting for outgoing traffic
iptables -t nat -A POSTROUTING -s 192.168.56.10 -j SNAT --to 192.168.68.99
# GUEST
# disable the interface we won't need
ip link set enp0s3 down
# use host IP as default gateway
ip route add default via 192.168.56.1
更好的方法是使用桥接(这将允许更透明的第 2 层网络),但是因为您使用无线接口(我根据接口名称判断是这样),所以如果不对 ebtables 进行修改就无法做到这一点。
PS:请不要使用ifconfig,它已经过时了。请改用ip addr。