我有一台服务器,上面有Ubuntu Server一个虚拟机,虚拟化软件是。Xubuntuvirt-manager
Ubuntu Server IP: 172.16.63.140
Xubuntu Virtual Machine IP: 192.168.122.4
我可以
ssh 172.16.63.140
连接到Ubuntu Server,然后从这个 ssh shell 我可以做
ssh 192.168.122.4
连接到Xubuntu Virtual Machine。
我想使用 iptables 转发 ssh 端口以使虚拟机从外部可见,这些是我使用的命令:
sudo /sbin/iptables -t nat -I PREROUTING -p tcp -i em1 --dport 22222 -j DNAT --to-destination 192.168.122.4:22
sudo /sbin/iptables -I FORWARD -p tcp -d 192.168.122.4 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
这是 iptables 的输出:
user@hostname:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.122.4 tcp dpt:ssh state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
user@hostname:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:22222 to:192.168.122.4:22
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
但如果我这么做:
ssh -p 22222 172.16.63.140
/etc/network/interfaces这是主机上的内容
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto em1
#iface em1 inet dhcp
#MICHELE MODIFIED: delete from here
iface em1 inet static
address 172.16.63.140
netmask 255.255.255.0
network 172.16.63.0
broadcast 172.16.63.255
gateway 172.16.63.254
/etc/network/interfaces这是客人的内容
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
这是 /etc/libvirt/qemu/UbuntuSynth.xml 的内容
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh edit UbuntuSynth
or other application using the libvirt API.
-->
<domain type='kvm'>
<name>UbuntuSynth</name>
<uuid>21851d31-25f2-940b-8cff-afa09e329713</uuid>
<memory unit='KiB'>4194304</memory>
<currentMemory unit='KiB'>4194304</currentMemory>
<vcpu placement='static'>8</vcpu>
<os>
<type arch='x86_64' machine='pc-i440fx-trusty'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/kvm-spice</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='raw'/>
<source file='/var/lib/libvirt/images/UbuntuSynth.img'/>
<target dev='hda' bus='ide'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<disk type='block' device='cdrom'>
<driver name='qemu' type='raw'/>
<target dev='hdc' bus='ide'/>
<readonly/>
<address type='drive' controller='0' bus='1' target='0' unit='0'/>
</disk>
<controller type='usb' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<controller type='ide' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
</controller>
<interface type='network'>
<mac address='52:54:00:75:4c:d3'/>
<source network='default'/>
<model type='rtl8139'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<serial type='pty'>
<target port='0'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<graphics type='vnc' port='-1' autoport='yes'/>
<sound model='ich6'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</sound>
<video>
<model type='cirrus' vram='9216' heads='1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
</memballoon>
</devices>
</domain>
主机ifconfig
em1 Link encap:Ethernet HWaddr f0:1f:af:ef:1b:b5
inet addr:172.16.63.140 Bcast:172.16.63.255 Mask:255.255.255.0
inet6 addr: fe80::f21f:afff:feef:1bb5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28474137 errors:0 dropped:0 overruns:0 frame:0
TX packets:65644719 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2701543645 (2.7 GB) TX bytes:86462963020 (86.4 GB)
Memory:da500000-da600000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:12327288 errors:0 dropped:0 overruns:0 frame:0
TX packets:12327288 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2986574536 (2.9 GB) TX bytes:2986574536 (2.9 GB)
virbr0 Link encap:Ethernet HWaddr fe:54:00:75:4c:d3
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15817438 errors:0 dropped:0 overruns:0 frame:0
TX packets:28427336 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:82982143933 (82.9 GB) TX bytes:2706857124 (2.7 GB)
vnet0 Link encap:Ethernet HWaddr fe:54:00:8e:0b:d3
inet6 addr: fe80::fc54:ff:fe8e:bd3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12504257 errors:0 dropped:0 overruns:0 frame:0
TX packets:25522667 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:81619900128 (81.6 GB) TX bytes:1884322484 (1.8 GB)
vnet1 Link encap:Ethernet HWaddr fe:54:00:75:4c:d3
inet6 addr: fe80::fc54:ff:fe75:4cd3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3313181 errors:0 dropped:0 overruns:0 frame:0
TX packets:3248438 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:1583687937 (1.5 GB) TX bytes:842952463 (842.9 MB)
客机ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:00:75:4c:d3
inet addr:192.168.122.4 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe75:4cd3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3163707 errors:0 dropped:1 overruns:0 frame:0
TX packets:3313229 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:794261483 (794.2 MB) TX bytes:1583695154 (1.5 GB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:10588809 errors:0 dropped:0 overruns:0 frame:0
TX packets:10588809 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3603005625 (3.6 GB) TX bytes:3603005625 (3.6 GB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
从我的笔记本电脑连接将返回超时错误,问题出在哪里?
答案1
您尚未在 iptables 规则集中提供返回路径。您需要:
sudo /sbin/iptables -t nat -I POSTROUTING -o em1 -j SNAT --to 172.16.63.140
您还需要确保已启用转发。例如:
$ cat /proc/sys/net/ipv4/ip_forward
1