Apache-2.2

OpenVZ 主機是源 IP 地址而不是實際的網路衝浪者?

  • August 5, 2010

我正在經歷一些有點奇怪的事情。我在 CentOS 5 伺服器上執行 OpenZV。看來,在容器上,Apache 網路伺服器看到請求的源 IP 地址是 OpenVZ 主機的 IP 地址,而不是實際衝浪者的 IP 地址。關於為什麼會發生這種情況的任何建議?

這是我的 sysctl.conf:

# packet forwarding enabled and proxy arp disabled
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0

# Enables source route verification
net.ipv4.conf.all.rp_filter = 1

# Enables the magic-sysrq key
kernel.sysrq = 1

# We do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

iptables-保存輸出:

# Generated by iptables-save v1.3.5 on Sun Jan  3 15:23:59 2010
*nat
:PREROUTING ACCEPT [756200:49422664]
:POSTROUTING ACCEPT [903767:67426359]
:OUTPUT ACCEPT [369070:31874494]
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE 
COMMIT
# Completed on Sun Jan  3 15:23:59 2010
# Generated by iptables-save v1.3.5 on Sun Jan  3 15:23:59 2010
*mangle
:PREROUTING ACCEPT [12320704:7736523164]
:INPUT ACCEPT [384169:50094465]
:FORWARD ACCEPT [11926020:7685806944]
:OUTPUT ACCEPT [386465:36820058]
:POSTROUTING ACCEPT [12308944:7722398683]
-A PREROUTING -i eth0 -j MARK --set-mark 0x9 
COMMIT
# Completed on Sun Jan  3 15:23:59 2010
# Generated by iptables-save v1.3.5 on Sun Jan  3 15:23:59 2010
*filter
:INPUT ACCEPT [379753:49502640]
:FORWARD ACCEPT [11855492:7632198223]
:OUTPUT ACCEPT [386465:36820058]
:RH-Firewall-1-INPUT - [0:0]
COMMIT
# Completed on Sun Jan  3 15:23:59 2010

ip ro sh 輸出:

68.168.248.39 dev venet0  scope link 
68.168.248.38 dev venet0  scope link 
68.168.248.37 dev venet0  scope link 
68.168.248.36 dev venet0  scope link 
68.168.248.35 dev venet0  scope link 
68.168.248.34 dev venet0  scope link 
68.168.248.33 dev venet0  scope link 
68.168.248.40 dev venet0  scope link 
208.89.162.96/27 dev eth0  proto kernel  scope link  src 208.89.162.114 
169.254.0.0/16 dev eth0  scope link 
default via 208.89.162.97 dev eth0 

http://wiki.openvz.org/Differences_between_venet_and_veth

確保您為訪客使用乙太網橋接,而不是“主機級別的 nat”

你是在你的容器中反向 NAT,還是其他一些奇怪的詭計?

我自己在工作中看到了這一點,因為我們有基於 Piranha 的 Web 負載均衡器在工作,所以當一個請求來自公共 IP 時,我 NAT 到我的 Web 伺服器,而不是將它們暴露給 Internet

引用自:https://serverfault.com/questions/99026