客户虚拟机如何通过桥接网络访问网络上的主机?

tag-icon tag-icon networking virtualization
客户虚拟机如何通过桥接网络访问网络上的主机?

询问后这个问题我能够将虚拟机配置为直接连接到 LAN。一切按预期进行,只是客户虚拟机无法与主机通信。

Ubuntu Server 20.04.03 LTS。

这是我的主机网络计划:

network:
  ethernets:
    enp3s0:
      dhcp4: true
      optional: true
    enp4s0:
      dhcp4: false
      dhcp6: false
  bridges:
    br0:
      interfaces:
      - enp4s0
      addresses:
      - 192.168.1.200/24
      gateway4: 192.168.1.1
      nameservers:
        addresses:
        - 1.1.1.1
        - 1.0.0.1
        - 8.8.8.8
        - 8.8.4.4
        search: []
      parameters:
        stp: true
      dhcp4: no
      dhcp6: no
  vlans:
    vlan15:
      accept-ra: no
      id: 15
      link: enp4s0
  version: 2

这是虚拟机网络配置(virsh net-edit default

<network>
  <name>default</name>
  <uuid>e0235996-534d-49c8-94d6-f213acd1552e</uuid>
  <forward mode='bridge'/>
  <bridge name='br0'/>
</network>

虽然客户虚拟机出现在局域网上并且可以访问外部,并且可以从网络上的其他真实计算机访问,但客户虚拟机无法访问其主机。

以下是虚拟机中 Windows Server 命令提示符的 ping 和 tracert 输出:(主机是 192.168.1.200,客户机是 192.168.1.33,它是从 LAN 上的路由器的 DHCP 获得的)

C:\Users\Administrator>ping 192.168.1.200

Pinging 192.168.1.200 with 32 bytes of data:
Reply from 192.168.1.33: Destination host unreachable.

Ping statistics for 192.168.1.200:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),

C:\Users\Administrator>tracert 192.168.1.200


Tracing route to 192.168.1.200 over a maximum of 30 hops

  1  SVR-BACKUP [192.168.1.33]  reports: Destination host unreachable.

Trace complete.

我还需要做什么来完成连接,以便客户虚拟机可以与主机通信?

编辑:根据要求,这里是输出sudo iptables -xvnL

Chain INPUT (policy ACCEPT 195866 packets, 25432549 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 252563 packets, 775126408 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:3690

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
       0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
       0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

sudo iptables -t nat -xvnL

Chain PREROUTING (policy ACCEPT 39583 packets, 13257450 bytes)
    pkts      bytes target     prot opt in     out     source               destination
    8156  2476484 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 8712 packets, 2524965 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 10911 packets, 606007 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       6     1768 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 10911 packets, 606007 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
       0        0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:3690

Chain DOCKER (2 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
       0        0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3690 to:172.17.0.2:3690

答案1

问题出在 netfilter 上。

此处的说明我禁用了网桥的 netfilter,并能够在虚拟机、LAN 和主机之间建立正确的网络通信。相关部分:

For performance and security reasons, disable netfilter for bridges. Create /etc/sysctl.d/bridge.conf with these contents:

net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0
net.bridge.bridge-nf-call-arptables=0

Create /etc/udev/rules.d/99-bridge.rules with the following contents. This udev rule applies the sysctl settings above when the bridge module is loaded. (If using Linux kernel 3.18 or later, change KERNEL=="bridge" to KERNEL=="br_netfilter".)

ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/sbin/sysctl -p /etc/sysctl.d/bridge.conf"

这样做之后,我所有的问题都消失了。

相关内容