我有一个混合configurationDom0:桥接networking和NAT设置。 有一个网卡连接到互联网(还有3个未使用)。
这是我的接口文件:
# The primary network interface iface eth0 inet manual auto xenbr0 iface xenbr0 inet static bridge_ports eth0 address 83.149.69.150 gateway 83.149.69.190 netmask 255.255.255.192 iface xenbr0 inet6 static address 2001:1AF8:3100:A00A:21::0000 netmask 64 gateway 2001:1AF8:3100:A00A::1 这是来自其中一个虚拟机(domU)的xenconfiguration文件的vif行:
vif = [ 'ip=83.149.69.154,mac=00:16:3E:5E:96:D7,script=vif-bridge,bridge=xenbr0', 'ip=172.16.1.20,mac=00:16:3E:5E:96:D8' ]
这导致了domU上的两个接口:
eth0 Link encap:Ethernet HWaddr 00:16:3e:5e:96:d7 inet addr:83.149.69.154 Bcast:83.149.69.191 Mask:255.255.255.192 inet6 addr: 2001:1af8:3100:a00a:21::4/64 Scope:Global inet6 addr: fe80::216:3eff:fe5e:96d7/64 Scope:Link [...] eth1 Link encap:Ethernet HWaddr 00:16:3e:5e:96:d8 inet addr:172.16.1.20 Bcast:172.16.255.255 Mask:255.255.0.0 inet6 addr: fe80::216:3eff:fe5e:96d8/64 Scope:Link [...]
但是,与这些虚拟机的任何连接看起来好像源自Dom0(公共)IP。 我正在讨论与nginx,apache,ssh,openvpn等的连接。连接客户端始终是83.149.69.150 (= reverse dns: aleph.rootspirit.com )
例如who :
# who root pts/0 2014-06-14 14:47 (aleph.rootspirit.com)
或openvpn(检查所有的83.149.69.150地址):
OpenVPN CLIENT LIST Updated,Sat Jun 14 14:51:12 2014 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since broserv,83.149.69.150:49545,356124,137293,Sat Jun 14 14:13:26 2014 pi,83.149.69.150:56293,322082,214456,Sat Jun 14 14:13:35 2014 heartbeat,83.149.69.150:42122,549631,1264272,Sat Jun 14 14:13:26 2014 industry,83.149.69.150:37885,759137,365405,Sat Jun 14 14:13:06 2014
是什么造成了这种奇怪的行为?
编辑:
我在我的iptables有这个:
iptables -t nat -A POSTROUTING -o xenbr0 -j MASQUERADE
当我删除该行,它工作正常:
# who root pts/0 2014-06-14 19:39 (213.219.144.38.adsl.dyn.edpnet.net)
但是,仅通过NAT运行的虚拟机不能再访问Internet:
# ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ^C --- 8.8.8.8 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 3999ms
iptables的:
aleph /etc # iptables -L -nv Chain INPUT (policy ACCEPT 3321 packets, 5903K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 1677 packets, 117K bytes) pkts bytes target prot opt in out source destination 14511 3725K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged 18653 3752K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT 1887 packets, 4659K bytes) pkts bytes target prot opt in out source destination aleph /etc # iptables -t nat -L -nv Chain PREROUTING (policy ACCEPT 1365 packets, 96941 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:12223 to:172.16.1.1:22 2 124 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:25 to:172.16.1.1 0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:53 to:172.16.1.1 558 38901 DNAT udp -- * * 0.0.0.0/0 83.149.69.128/26 udp dpt:53 to:172.16.1.1 2 128 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:465 to:172.16.1.1 0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:4950 to:172.16.1.1 7 420 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:110 to:172.16.1.1 2 104 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:143 to:172.16.1.1 12 720 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:993 to:172.16.1.1 4 208 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:995 to:172.16.1.1 2 104 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:21 to:172.16.1.2 0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:2121 to:172.16.1.2:21 0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:20 to:172.16.1.2 0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:4951 to:172.16.1.2 0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpts:50000:51000 to:172.16.1.2 5 300 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:12222 to:172.16.1.2:22 Chain INPUT (policy ACCEPT 48 packets, 2802 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 58 packets, 3688 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 637 packets, 43589 bytes) pkts bytes target prot opt in out source destination 1320 94863 MASQUERADE all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
发生这种情况是因为您的Dom0没有专用networking的任何接口。
您应该为内部和公共IP地址设置单独的网桥。
像这样的东西:
auto xenbr0 iface xenbr0 inet static bridge_ports eth0 address 83.149.69.150 gateway 83.149.69.190 netmask 255.255.255.192 iface xenbr0 inet6 static address 2001:1AF8:3100:A00A:21::0000 netmask 64 gateway 2001:1AF8:3100:A00A::1 iface dummy0 inet manual auto xenbr1 iface xenbr1 inet static bridge_ports dummy0 address 172.16.1.19 netmask 255.255.255.0
然后分别在你的domUconfiguration中:
vif = [ 'ip=83.149.69.154,mac=00:16:3E:5E:96:D7,script=vif-bridge,bridge=xenbr0', 'ip=172.16.1.20,mac=00:16:3E:5E:96:D8,bridge=xenbr1' ]
这样你的dom0将在内部networking和公共networking中都有独立的IP地址。
编辑:除了上面的configuration,使用这个NAT规则:
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o xenbr0 -j SNAT --to-source 83.149.69.150