- 论坛徽章:
- 0
|
本帖最后由 jomcal 于 2015-06-05 11:59 编辑
最近在搞虚拟化,遇到N多坑, 在网上找了半天也没能解决我的问题,所以只能在这求助各位大牛
物理环境: 1主机 1网卡 1ip
操作系统: CentOS 6.6
网络配置: eth0 192.168.137.41(公网)
宿主系统安装mini桌面版,然后安装virt-manager 后自动安装各种包
用默认的NAT方式连接, 虚拟机可以上网
我想通过访问 192.168.137.41:8022 映射到虚拟机 192.168.122.57:22
虚拟机ip 192.168.122.57
宿主 ip addr 信息 供各位大牛参考
- [root@localhost ~]# ip addr
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
- 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
- link/ether 8c:89:a5:3d:21:0b brd ff:ff:ff:ff:ff:ff
- inet 192.168.137.41/24 brd 192.168.137.255 scope global eth0
- inet6 fe80::8e89:a5ff:fe3d:210b/64 scope link
- valid_lft forever preferred_lft forever
- 3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
- link/ether 52:54:00:a0:cf:af brd ff:ff:ff:ff:ff:ff
- inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
- 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
- link/ether 52:54:00:a0:cf:af brd ff:ff:ff:ff:ff:ff
- 5: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
- link/ether fe:54:00:1b:06:af brd ff:ff:ff:ff:ff:ff
- inet6 fe80::fc54:ff:fe1b:6af/64 scope link
- valid_lft forever preferred_lft forever
复制代码 宿主iptables配置
- # Generated by iptables-save v1.4.7 on Fri Jun 5 10:54:41 2015
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [3643:219865]
- -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
- -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
- -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
- -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -p icmp -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 8022 -j ACCEPT --- 开放8022端口
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 6001 -j ACCEPT
- -A INPUT -j REJECT --reject-with icmp-host-prohibited
- -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
- -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
- -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
- -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
- -A FORWARD -j REJECT --reject-with icmp-host-prohibited
- COMMIT
- # Completed on Fri Jun 5 10:54:41 2015
- # Generated by iptables-save v1.4.7 on Fri Jun 5 10:54:41 2015
- *mangle
- :PREROUTING ACCEPT [8956:8794119]
- :INPUT ACCEPT [6843:8620681]
- :FORWARD ACCEPT [1993:167412]
- :OUTPUT ACCEPT [3643:219865]
- :POSTROUTING ACCEPT [5636:387277]
- -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
- COMMIT
- # Completed on Fri Jun 5 10:54:41 2015
- # Generated by iptables-save v1.4.7 on Fri Jun 5 10:54:41 2015
- *nat
- :PREROUTING ACCEPT [3:401]
- :POSTROUTING ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- -A PREROUTING -d 192.168.137.41/32 -p tcp -m tcp --dport 8022 -j DNAT --to-destination 192.168.122.57:22 --- 我理解这句为 来自137.41 8022端口的请求 转发到 122.57的22上
- -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
- -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
- -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
- -A POSTROUTING -s 192.168.122.0/24 -d 192.168.122.57/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 192.168.122.1 --- 来自122.0 访问 122.57 的22端口请求 返回给 122.1
- COMMIT
- # Completed on Fri Jun 5 10:54:41 2015
复制代码 宿主ifconfig -a
- [root@localhost ~]# ifconfig -a
- eth0 Link encap:Ethernet HWaddr 8C:89:A5:3D:21:0B
- inet addr:192.168.137.41 Bcast:192.168.137.255 Mask:255.255.255.0
- inet6 addr: fe80::8e89:a5ff:fe3d:210b/64 Scope:Link
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:107239 errors:0 dropped:0 overruns:0 frame:0
- TX packets:69853 errors:0 dropped:0 overruns:0 carrier:1
- collisions:0 txqueuelen:1000
- RX bytes:107299245 (102.3 MiB) TX bytes:36702571 (35.0 MiB)
- lo Link encap:Local Loopback
- inet addr:127.0.0.1 Mask:255.0.0.0
- inet6 addr: ::1/128 Scope:Host
- UP LOOPBACK RUNNING MTU:65536 Metric:1
- RX packets:7537 errors:0 dropped:0 overruns:0 frame:0
- TX packets:7537 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:0
- RX bytes:10463908 (9.9 MiB) TX bytes:10463908 (9.9 MiB)
- virbr0 Link encap:Ethernet HWaddr 52:54:00:A0:CF:AF
- inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:38088 errors:0 dropped:0 overruns:0 frame:0
- TX packets:68673 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:0
- RX bytes:2180265 (2.0 MiB) TX bytes:100182484 (95.5 MiB)
- virbr0-nic Link encap:Ethernet HWaddr 52:54:00:A0:CF:AF
- BROADCAST MULTICAST MTU:1500 Metric:1
- RX packets:0 errors:0 dropped:0 overruns:0 frame:0
- TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:500
- RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
- vnet0 Link encap:Ethernet HWaddr FE:54:00:1B:06:AF
- inet6 addr: fe80::fc54:ff:fe1b:6af/64 Scope:Link
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:38088 errors:0 dropped:0 overruns:0 frame:0
- TX packets:70276 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:500
- RX bytes:2713497 (2.5 MiB) TX bytes:100265996 (95.6 MiB)
复制代码 补充:
虚拟机可以上网, 并以NAT方式连接网络
虚拟机通过宿主的virbr0 (192.168.122.1) 作为网关联网
虚拟机可以与宿主直连(ip访问) 虚拟机 192.168.122.x段其他虚拟机也可相互访问
|
|