我的主机网络接口有两个 IP。目前,我在路由网络。
public
主机的网络接口是区域的成员firewalld
,同时具有向前和化装舞会已启用。
通过之前描述的设置,VM 能够连接到 Internet,并且我可以使用 向 VM 添加端口firewalld
转发--add-forward-port
。
但是,现在我想更改虚拟机的一个出口 IP(即伪装的到)到我主机网络接口中可用的另一个 IP。
我尝试SNAT
向我的添加一条规则,nftables
因为firewalld
不支持它。我使用的命令是nft add rule nat POSTROUTING snat to ip saddr map { <VM's IP> : <public ip> }
,这会导致 VM 与 Internet 断开连接,但仍然能够使用中设置的端口转发进行连接firewalld
。
我在 Google 上搜索了这个问题,但没有找到太多相关信息。
以下是一些配置。
默认公网IP修改为10.0.0.1
,辅助公网IP修改为10.0.0.2
。
VM 1 的 NAT IP 被编辑为192.168.122.1
,VM 2 的 NAT IP 被编辑为192.168.122.2
。
防火墙D
libvirt (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: virbr0
sources:
services: custom--ms-wbt-server-ms-wbt-server dhcp dhcpv6 dns ssh tftp
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0f0
sources:
services: cockpit dhcpv6-client libvirt libvirt-tls mdns ssh steam-streaming vnc-server
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="10.0.0.2" forward-port port="33412" protocol="tcp" to-port="3389" to-addr="192.168.122.2" # another public ip is the ip that i want to change to
rule family="ipv4" destination address="10.0.0.1" forward-port port="33411" protocol="udp" to-port="3389" to-addr="192.168.122.1" # default public ip is the default outlet ip
rule family="ipv4" destination address="10.0.0.1" forward-port port="33411" protocol="tcp" to-port="3389" to-addr="192.168.122.1"
rule family="ipv4" destination address="10.0.0.2" forward-port port="33412" protocol="udp" to-port="3389" to-addr="192.168.122.2"
维尔什
<network connections='2'>
<name>default</name>
<uuid>(network uuid)</uuid>
<forward mode='route'/>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='<mac address>'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
ip addr
enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether <mac address> brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd <broadcast addr> scope global noprefixroute enp1s0f0
valid_lft forever preferred_lft forever
inet 10.0.0.2/25 brd <broadcast addr> scope global noprefixroute enp1s0f0
valid_lft forever preferred_lft forever
ip route
default via <default public ip gateway> dev enp1s0f0 proto static metric 100
<default public ip subnet> dev enp1s0f0 proto kernel scope link src 10.0.0.1 metric 100
<secondary public ip subnet> dev enp1s0f0 proto kernel scope link src 10.0.0.2 metric 100
<virsh network subnet> dev virbr0 proto kernel scope link src 192.168.122.1
我的服务器正在运行Fedora 37
和firewalld 1.2.2
。nftables 1.0.4