我有一个 Ubuntu Server 14.04,在一些机器上运行 VirtualBox。这些机器安装了 OpenStack Fuel,我无法更改基础设施的 NIC 接口(两个仅主机和一个 NAT)。
其中一台机器正在运行“燃料控制”面板,但只能通过主机接口之一( 10.20.0.2 )访问。
我的家庭网络是 192.168.25.x。主机(Ubuntu)外部是192.168.25.25。
现在我的家庭网络中有一台 Windows 计算机,需要访问在虚拟机 (IP 10.20.0.2) 中运行的 Fuel 面板。
我需要的是将来自硬件 192.168.25.25 接口的传入转发到 virtualbox hostonly 10.20.0.X VM 接口以到达 IP 10.20.0.2。
这是我的主机 ifconfig 显示所有接口:
root@AKRAB:~# ifconfig
lo Link encap:Loopback Local
inet end.: 127.0.0.1 Masc:255.0.0.0
endereço inet6: ::1/128 Escopo:Máquina
UP LOOPBACK RUNNING MTU:65536 Métrica:1
pacotes RX:19685 erros:0 descartados:0 excesso:0 quadro:0
Pacotes TX:19685 erros:0 descartados:0 excesso:0 portadora:0
colisões:0 txqueuelen:0
RX bytes:7674590 (7.6 MB) TX bytes:7674590 (7.6 MB)
vboxnet0 Link encap:Ethernet Endereço de HW 0a:00:27:00:00:00
inet end.: 10.20.0.1 Bcast:10.20.0.255 Masc:255.255.255.0
endereço inet6: fe80::800:27ff:fe00:0/64 Escopo:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1
pacotes RX:0 erros:0 descartados:0 excesso:0 quadro:0
Pacotes TX:167 erros:0 descartados:0 excesso:0 portadora:0
colisões:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:22260 (22.2 KB)
vboxnet1 Link encap:Ethernet Endereço de HW 0a:00:27:00:00:01
inet end.: 172.16.0.254 Bcast:172.16.0.255 Masc:255.255.255.0
endereço inet6: fe80::800:27ff:fe00:1/64 Escopo:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1
pacotes RX:0 erros:0 descartados:0 excesso:0 quadro:0
Pacotes TX:437 erros:0 descartados:0 excesso:0 portadora:0
colisões:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:137886 (137.8 KB)
vboxnet2 Link encap:Ethernet Endereço de HW 0a:00:27:00:00:02
inet end.: 172.16.1.1 Bcast:172.16.1.255 Masc:255.255.255.0
endereço inet6: fe80::800:27ff:fe00:2/64 Escopo:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1
pacotes RX:0 erros:0 descartados:0 excesso:0 quadro:0
Pacotes TX:464 erros:0 descartados:0 excesso:0 portadora:0
colisões:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:150336 (150.3 KB)
wlan0 Link encap:Ethernet Endereço de HW 00:13:46:94:18:c1
inet end.: 192.168.25.25 Bcast:192.168.25.255 Masc:255.255.255.0
endereço inet6: fe80::213:46ff:fe94:18c1/64 Escopo:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1
pacotes RX:2354945 erros:0 descartados:4 excesso:0 quadro:0
Pacotes TX:1237088 erros:0 descartados:0 excesso:0 portadora:0
colisões:0 txqueuelen:1000
RX bytes:3455421823 (3.4 GB) TX bytes:103231994 (103.2 MB)
root@AKRAB:~#
您可以看到 wlan0 外部接口(我的家庭网络)和 vboxnet0 隐藏我想要访问的网络( 10.20.0.2 )。
所有这些地址都是静态的,包括目标。我想要在虚拟机中访问的端口号是 8443(Mirantis Fuel Dashboard)。
尝试过这个但没有成功:
root@AKRAB:~# iptables -I FORWARD -d 10.20.0.2 -m comment --comment "Accept to forward Fuel DashBoard traffic" -m tcp -p tcp --dport 8443 -j ACCEPT
root@AKRAB:~# iptables -t nat -I PREROUTING -m tcp -p tcp --dport 8443 -m comment --comment "redirect pkts to virtual machine" -j DNAT --to-destination 10.20.0.2:8443
root@AKRAB:~# iptables -t nat -I POSTROUTING -m comment --comment "NAT the src ip" -d 10.20.0.2 -o vboxnet0 -j MASQUERADE
结果:
root@AKRAB:~# iptables -nvL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 10.20.0.2 0.0.0.0/0 /* Accept to forward Fuel DashBoard return traffic */ tcp spt:8443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.20.0.2 /* Accept to forward Fuel DashBoard traffic */ tcp dpt:8443
和
root@AKRAB:~# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 73 packets, 6145 bytes)
pkts bytes target prot opt in out source destination
18 912 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 /* redirect pkts to virtual machine */ to:10.20.0.2:8443
Chain INPUT (policy ACCEPT 73 packets, 6145 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 759 packets, 47828 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 759 packets, 47828 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * vboxnet0 0.0.0.0/0 10.20.0.2 /* NAT the src ip */
答案1
iptables 规则似乎没问题,但可能您错过了启用 ip 转发,请尝试使用:
echo 1 > /proc/sys/net/ipv4/ip_forward
然后检查 iptables 规则是否匹配:
iptables -t nat -nvL
iptables -nvL FORWARD