Ubuntu的iptables libvirt端口转发

在过去的几天中，我一直在靠近墙壁，试图弄清楚如何允许在端口443和8443上连接虚拟机。

这里是关于系统的一些信息。

虚拟机启动前的ifconfig

ens3 Link encap:Ethernet HWaddr fa:16:3e:7a:fd:c3 inet addr:xxx45 Bcast:xxx45 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1809 errors:0 dropped:0 overruns:0 frame:0 TX packets:1673 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:145652 (145.6 KB) TX bytes:130509 (130.5 KB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:808 errors:0 dropped:0 overruns:0 frame:0 TX packets:808 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:74740 (74.7 KB) TX bytes:74740 (74.7 KB) virbr0 Link encap:Ethernet HWaddr 52:54:00:c4:48:90 inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:53 errors:0 dropped:0 overruns:0 frame:0 TX packets:40 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4071 (4.0 KB) TX bytes:6578 (6.5 KB) virbr1 Link encap:Ethernet HWaddr 52:54:00:9f:72:7f inet addr:192.168.42.1 Bcast:192.168.42.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:1077 errors:0 dropped:0 overruns:0 frame:0 TX packets:917 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:695843 (695.8 KB) TX bytes:169696 (169.6 KB)

虚拟机启动后的ifconfig

 ens3 Link encap:Ethernet HWaddr fa:16:3e:7a:fd:c3 inet addr:xxx45 Bcast:xxx45 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2026 errors:0 dropped:0 overruns:0 frame:0 TX packets:1902 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:162734 (162.7 KB) TX bytes:153951 (153.9 KB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:1296 errors:0 dropped:0 overruns:0 frame:0 TX packets:1296 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:121712 (121.7 KB) TX bytes:121712 (121.7 KB) virbr0 Link encap:Ethernet HWaddr 52:54:00:c4:48:90 inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:96 errors:0 dropped:0 overruns:0 frame:0 TX packets:73 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:7526 (7.5 KB) TX bytes:12615 (12.6 KB) virbr1 Link encap:Ethernet HWaddr 52:54:00:9f:72:7f inet addr:192.168.42.1 Bcast:192.168.42.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2118 errors:0 dropped:0 overruns:0 frame:0 TX packets:1792 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1386531 (1.3 MB) TX bytes:333696 (333.6 KB) vnet0 Link encap:Ethernet HWaddr fe:54:00:ee:5c:d0 inet6 addr: fe80::fc54:ff:feee:5cd0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:43 errors:0 dropped:0 overruns:0 frame:0 TX packets:83 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4057 (4.0 KB) TX bytes:8869 (8.8 KB) vnet1 Link encap:Ethernet HWaddr fe:54:00:0b:15:eb inet6 addr: fe80::fc54:ff:fe0b:15eb/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1041 errors:0 dropped:0 overruns:0 frame:0 TX packets:936 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:705262 (705.2 KB) TX bytes:167544 (167.5 KB)

iptables -S

 -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr1 -o virbr1 -j ACCEPT -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A OUTPUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT

iptables -L

 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:bootpc ACCEPT udp -- anywhere anywhere udp dpt:bootpc

VM ifconfig

 docker0 Link encap:Ethernet HWaddr 02:42:0F:C1:9D:47 inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:fff:fec1:9d47/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:230 errors:0 dropped:0 overruns:0 frame:0 TX packets:216 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:19661 (19.2 KiB) TX bytes:28440 (27.7 KiB) eth0 Link encap:Ethernet HWaddr 52:54:00:EE:5C:D0 inet addr:192.168.122.135 Bcast:192.168.122.255 Mask:255.255.255.0 inet6 addr: fe80::5054:ff:feee:5cd0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:63 errors:0 dropped:0 overruns:0 frame:0 TX packets:73 errors:0 dropped:0 overruns:0 carrier:0 collisions:312 txqueuelen:1000 RX bytes:7723 (7.5 KiB) TX bytes:6469 (6.3 KiB) eth1 Link encap:Ethernet HWaddr 52:54:00:0B:15:EB inet addr:192.168.42.201 Bcast:192.168.42.255 Mask:255.255.255.0 inet6 addr: fe80::5054:ff:fe0b:15eb/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:914 errors:0 dropped:0 overruns:0 frame:0 TX packets:759 errors:0 dropped:0 overruns:0 carrier:0 collisions:3960 txqueuelen:1000 RX bytes:157257 (153.5 KiB) TX bytes:690751 (674.5 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:22041 errors:0 dropped:0 overruns:0 frame:0 TX packets:22041 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:40447910 (38.5 MiB) TX bytes:40447910 (38.5 MiB) veth159e182 Link encap:Ethernet HWaddr 52:8A:03:66:BA:E3 inet6 addr: fe80::508a:3ff:fe66:bae3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:203 errors:0 dropped:0 overruns:0 frame:0 TX packets:205 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:20046 (19.5 KiB) TX bytes:18696 (18.2 KiB)

我已经尝试了以下

 iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.122.135:443 iptables -t nat -I PREROUTING -p tcp --dport 8443 -j DNAT --to 192.168.122.135:8443 iptables -I FORWARD -o virbr0 -d 192.168.122.135 -j ACCEPT

也试过这个

 iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.42.201:443 iptables -t nat -I PREROUTING -p tcp --dport 8443 -j DNAT --to 192.168.42.201:8443 iptables -I FORWARD -o virbr0 -d 192.168.42.201 -j ACCEPT

当我尝试使用chrome连接到服务器时，ip地址被更改为本地ip地址。请看图片。

图片1

图片2

有人可以帮我弄清楚我做错了什么。非常感谢您的帮助。