[已解决]求救! iptables端口映射问题 单机单网卡单ip kvm端口映射

jomcal

最近在搞虚拟化,遇到N多坑, 在网上找了半天也没能解决我的问题,所以只能在这求助各位大牛

物理环境:  1主机 1网卡  1ip

操作系统: CentOS 6.6
网络配置: eth0  192.168.137.41(公网)

宿主系统安装mini桌面版,然后安装virt-manager 后自动安装各种包
用默认的NAT方式连接, 虚拟机可以上网

我想通过访问 192.168.137.41:8022 映射到虚拟机 192.168.122.57:22

虚拟机ip 192.168.122.57

宿主 ip addr 信息 供各位大牛参考

1. 
   
2. [root@localhost ~]# ip addr
   
3. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
   
4.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   
5.     inet 127.0.0.1/8 scope host lo
   
6.     inet6 ::1/128 scope host
   
7.        valid_lft forever preferred_lft forever
   
8. 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
   
9.     link/ether 8c:89:a5:3d:21:0b brd ff:ff:ff:ff:ff:ff
   
10.     inet 192.168.137.41/24 brd 192.168.137.255 scope global eth0
    
11.     inet6 fe80::8e89:a5ff:fe3d:210b/64 scope link
    
12.        valid_lft forever preferred_lft forever
    
13. 3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    
14.     link/ether 52:54:00:a0:cf:af brd ff:ff:ff:ff:ff:ff
    
15.     inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
    
16. 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 500
    
17.     link/ether 52:54:00:a0:cf:af brd ff:ff:ff:ff:ff:ff
    
18. 5: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    
19.     link/ether fe:54:00:1b:06:af brd ff:ff:ff:ff:ff:ff
    
20.     inet6 fe80::fc54:ff:fe1b:6af/64 scope link
    
21.        valid_lft forever preferred_lft forever
    

复制代码

宿主iptables配置

1. 
   
2. # Generated by iptables-save v1.4.7 on Fri Jun  5 10:54:41 2015
   
3. *filter
   
4. :INPUT ACCEPT [0:0]
   
5. :FORWARD ACCEPT [0:0]
   
6. :OUTPUT ACCEPT [3643:219865]
   
7. -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
   
8. -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
   
9. -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
   
10. -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
    
11. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    
12. -A INPUT -p icmp -j ACCEPT
    
13. -A INPUT -i lo -j ACCEPT
    
14. -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    
15. -A INPUT -p tcp -m state --state NEW -m tcp --dport 8022 -j ACCEPT   --- 开放8022端口
    
16. -A INPUT -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT
    
17. -A INPUT -p tcp -m state --state NEW -m tcp --dport 6001 -j ACCEPT
    
18. -A INPUT -j REJECT --reject-with icmp-host-prohibited
    
19. -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    
20. -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
    
21. -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
    
22. -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
    
23. -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
    
24. -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    
25. COMMIT
    
26. # Completed on Fri Jun  5 10:54:41 2015
    
27. # Generated by iptables-save v1.4.7 on Fri Jun  5 10:54:41 2015
    
28. *mangle
    
29. :PREROUTING ACCEPT [8956:8794119]
    
30. :INPUT ACCEPT [6843:8620681]
    
31. :FORWARD ACCEPT [1993:167412]
    
32. :OUTPUT ACCEPT [3643:219865]
    
33. :POSTROUTING ACCEPT [5636:387277]
    
34. -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
    
35. COMMIT
    
36. # Completed on Fri Jun  5 10:54:41 2015
    
37. # Generated by iptables-save v1.4.7 on Fri Jun  5 10:54:41 2015
    
38. *nat
    
39. :PREROUTING ACCEPT [3:401]
    
40. :POSTROUTING ACCEPT [0:0]
    
41. :OUTPUT ACCEPT [0:0]
    
42. -A PREROUTING -d 192.168.137.41/32 -p tcp -m tcp --dport 8022 -j DNAT --to-destination 192.168.122.57:22    --- 我理解这句为 来自137.41 8022端口的请求 转发到  122.57的22上
    
43. -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
    
44. -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
    
45. -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
    
46. -A POSTROUTING -s 192.168.122.0/24 -d 192.168.122.57/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 192.168.122.1    --- 来自122.0 访问 122.57 的22端口请求 返回给 122.1
    
47. COMMIT
    
48. # Completed on Fri Jun  5 10:54:41 2015
    

复制代码

宿主ifconfig -a

1. 
   
2. [root@localhost ~]# ifconfig -a
   
3. eth0      Link encap:Ethernet  HWaddr 8C:89:A5:3D:21:0B  
   
4.           inet addr:192.168.137.41  Bcast:192.168.137.255  Mask:255.255.255.0
   
5.           inet6 addr: fe80::8e89:a5ff:fe3d:210b/64 Scope:Link
   
6.           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
   
7.           RX packets:107239 errors:0 dropped:0 overruns:0 frame:0
   
8.           TX packets:69853 errors:0 dropped:0 overruns:0 carrier:1
   
9.           collisions:0 txqueuelen:1000
   
10.           RX bytes:107299245 (102.3 MiB)  TX bytes:36702571 (35.0 MiB)
    
11. 
    
12. lo        Link encap:Local Loopback  
    
13.           inet addr:127.0.0.1  Mask:255.0.0.0
    
14.           inet6 addr: ::1/128 Scope:Host
    
15.           UP LOOPBACK RUNNING  MTU:65536  Metric:1
    
16.           RX packets:7537 errors:0 dropped:0 overruns:0 frame:0
    
17.           TX packets:7537 errors:0 dropped:0 overruns:0 carrier:0
    
18.           collisions:0 txqueuelen:0
    
19.           RX bytes:10463908 (9.9 MiB)  TX bytes:10463908 (9.9 MiB)
    
20. 
    
21. virbr0    Link encap:Ethernet  HWaddr 52:54:00:A0:CF:AF  
    
22.           inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
    
23.           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    
24.           RX packets:38088 errors:0 dropped:0 overruns:0 frame:0
    
25.           TX packets:68673 errors:0 dropped:0 overruns:0 carrier:0
    
26.           collisions:0 txqueuelen:0
    
27.           RX bytes:2180265 (2.0 MiB)  TX bytes:100182484 (95.5 MiB)
    
28. 
    
29. virbr0-nic Link encap:Ethernet  HWaddr 52:54:00:A0:CF:AF  
    
30.           BROADCAST MULTICAST  MTU:1500  Metric:1
    
31.           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    
32.           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    
33.           collisions:0 txqueuelen:500
    
34.           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
    
35. 
    
36. vnet0     Link encap:Ethernet  HWaddr FE:54:00:1B:06:AF  
    
37.           inet6 addr: fe80::fc54:ff:fe1b:6af/64 Scope:Link
    
38.           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    
39.           RX packets:38088 errors:0 dropped:0 overruns:0 frame:0
    
40.           TX packets:70276 errors:0 dropped:0 overruns:0 carrier:0
    
41.           collisions:0 txqueuelen:500
    
42.           RX bytes:2713497 (2.5 MiB)  TX bytes:100265996 (95.6 MiB)
    

复制代码

补充:
虚拟机可以上网, 并以NAT方式连接网络
虚拟机通过宿主的virbr0 (192.168.122.1) 作为网关联网
虚拟机可以与宿主直连(ip访问) 虚拟机 192.168.122.x段其他虚拟机也可相互访问

yyu0378

做个DNAT端口映射

jomcal

回复 2# yyu0378


    DNAT做了的 在iptables 规则中第41行

yyu0378

回复 3# jomcal
122.57这个主机的默认网关是啥？


   

jomcal

回复 4# yyu0378

这个完整ip是 192.168.122.57   网关是192.168.122.1
   

yestreenstars

1. echo 1 > /proc/sys/net/ipv4/ip_forward
   
2. iptables -F
   
3. iptables -X
   
4. iptables -t nat -F
   
5. iptables -t nat -X
   
6. iptables -t nat -A PREROUTING -d 192.168.137.41/32 -p tcp --dport 8022 -j DNAT --to-destination 192.168.122.57:22
   
7. iptables -t nat -A POSTROUTING -j MASQUERADE

复制代码

在宿主机执行以上操作，看看能否解决问题，如果不能再重启iptables恢复你原来的规则。

jomcal

回复 6# yestreenstars


首先 转发是开启的 否则kvm虚拟机无法上网
另外,这种方法确实可以端口映射
可端口防火墙没了.

yestreenstars

回复 7# jomcal

可以映射那就在此基础上加上其他链的规则咯
   

jomcal

回复 8# yestreenstars


    非常感谢