我有几个CentOS7的设置,我使用iptables转发端口从主机到客人。 最近,我更新到7.2.1511,似乎libvirt坚持firewalld是积极的,直接使用iptables命令。
以下是我的虚拟networkingVMmaint的XMLconfiguration。 <network connections='11'> <name>VMmaint</name> <uuid>2d218af6-b374-41b3-8a7e-2de7a02e62a9</uuid> <forward dev='em1' mode='nat'> <nat> <port start='1024' end='65535'/> </nat> <interface dev='em1'/> </forward> <bridge name='VMmaint' stp='on' delay='0'/> <mac address='52:54:00:ab:82:15'/> <ip address='192.168.100.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.100.10' end='192.168.100.254'/> <host mac='52:54:00:f7:df:11' ip='192.168.100.11'/> <host mac='52:54:00:f1:bb:18' ip='192.168.100.12'/> <host mac='52:54:00:cf:33:59' ip='192.168.100.13'/> <host mac='52:54:00:57:e2:6a' ip='192.168.100.14'/> <host mac='52:54:00:72:8e:ce' ip='192.168.100.15'/> <host mac='52:54:00:25:3e:34' ip='192.168.100.16'/> <host mac='52:54:00:8a:31:3e' ip='192.168.100.17'/> <host mac='52:54:00:dd:5f:dd' ip='192.168.100.18'/> <host mac='52:54:00:67:0b:fa' ip='192.168.100.19'/> <host mac='52:54:00:0d:37:bd' ip='192.168.100.20'/> <host mac='52:54:00:a5:7a:02' ip='192.168.100.21'/> <host mac='52:54:00:e2:8d:94' ip='192.168.100.22'/> <host mac='52:54:00:12:fb:15' ip='192.168.100.23'/> <host mac='52:54:00:01:cb:98' ip='192.168.100.24'/> <host mac='52:54:00:b0:d5:04' ip='192.168.100.25'/> <host mac='52:54:00:6c:bf:9e' ip='192.168.100.26'/> <host mac='52:54:00:d4:cc:5a' ip='192.168.100.27'/> <host mac='52:54:00:6e:1d:8d' ip='192.168.100.28'/> <host mac='52:54:00:aa:31:17' ip='192.168.100.29'/> <host mac='52:54:00:42:d8:e5' ip='192.168.100.30'/> <host mac='52:54:00:28:15:d5' ip='192.168.100.31'/> <host mac='52:54:00:99:56:a1' ip='192.168.100.32'/> <host mac='52:54:00:7a:e6:09' ip='192.168.100.33'/> <host mac='52:54:00:2a:fe:67' ip='192.168.100.34'/> <host mac='52:54:00:f1:95:37' ip='192.168.100.35'/> <host mac='52:54:00:a9:4f:92' ip='192.168.100.36'/> <host mac='52:54:00:ee:7d:40' ip='192.168.100.37'/> <host mac='52:54:00:51:40:33' ip='192.168.100.38'/> <host mac='52:54:00:b1:0c:6e' ip='192.168.100.39'/> <host mac='52:54:00:2f:9f:ad' ip='192.168.100.40'/> <host mac='52:54:00:c6:7e:1c' ip='192.168.100.41'/> <host mac='52:54:00:6f:96:82' ip='192.168.100.42'/> <host mac='52:54:00:e4:a8:b0' ip='192.168.100.43'/> <host mac='52:54:00:4f:c6:97' ip='192.168.100.44'/> <host mac='52:54:00:e2:1a:36' ip='192.168.100.45'/> <host mac='52:54:00:bd:59:03' ip='192.168.100.46'/> <host mac='52:54:00:f2:ca:f0' ip='192.168.100.47'/> <host mac='52:54:00:f4:35:85' ip='192.168.100.48'/> <host mac='52:54:00:c6:2f:84' ip='192.168.100.49'/> <host mac='52:54:00:e7:74:a4' ip='192.168.100.50'/> </dhcp> </ip> </network>
但是,只要networking处于活动状态,我就会看到/ var / log / firewalld
2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table mangle --delete POSTROUTING --out-interface VMmaint --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' failed: iptables: No chain/target/match by that name. 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --destination 192.168.100.0/24 --in-interface em1 --out-interface VMmaint --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --source 192.168.100.0/24 --in-interface VMmaint --out-interface em1 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --in-interface VMmaint --out-interface VMmaint --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --out-interface VMmaint --jump REJECT' failed: iptables: No chain/target/match by that name. 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --in-interface VMmaint --jump REJECT' failed: iptables: No chain/target/match by that name. 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface VMmaint --protocol udp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface VMmaint --protocol tcp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete OUTPUT --out-interface VMmaint --protocol udp --destination-port 68 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface VMmaint --protocol udp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). 2016-03-18 14:07:00 ERROR: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface VMmaint --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
似乎在libvirtd中有一些默认configuration与firewalld没有很好的交互。 我喜欢通过libvirt学习正确的configuration方式,而无需单独运行任何脚本。 morganyang1982
post数:2注册时间:2016/03/18 13:50:52
有可能是一个stream氓firewalld过程涉及到,类似这样: firewalld错误添加http时
尝试停止防火墙,杀死所有剩余的firewalld进程并重新启动。
systemctl stop firewalld pkill -f firewalld systemctl start firewalld
在一个更通用的说明:禁用firewalld和使用bash脚本或类似shorewall的滚动自己的防火墙是完全有效的。