Apache-2.2
OpenVZ 主機是源 IP 地址而不是實際的網路衝浪者?
我正在經歷一些有點奇怪的事情。我在 CentOS 5 伺服器上執行 OpenZV。看來,在容器上,Apache 網路伺服器看到請求的源 IP 地址是 OpenVZ 主機的 IP 地址,而不是實際衝浪者的 IP 地址。關於為什麼會發生這種情況的任何建議?
這是我的 sysctl.conf:
# packet forwarding enabled and proxy arp disabled net.ipv4.ip_forward = 1 net.ipv6.conf.default.forwarding = 1 net.ipv6.conf.all.forwarding = 1 net.ipv4.conf.default.proxy_arp = 0 # Enables source route verification net.ipv4.conf.all.rp_filter = 1 # Enables the magic-sysrq key kernel.sysrq = 1 # We do not want all our interfaces to send redirects net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.all.send_redirects = 0
iptables-保存輸出:
# Generated by iptables-save v1.3.5 on Sun Jan 3 15:23:59 2010 *nat :PREROUTING ACCEPT [756200:49422664] :POSTROUTING ACCEPT [903767:67426359] :OUTPUT ACCEPT [369070:31874494] -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE COMMIT # Completed on Sun Jan 3 15:23:59 2010 # Generated by iptables-save v1.3.5 on Sun Jan 3 15:23:59 2010 *mangle :PREROUTING ACCEPT [12320704:7736523164] :INPUT ACCEPT [384169:50094465] :FORWARD ACCEPT [11926020:7685806944] :OUTPUT ACCEPT [386465:36820058] :POSTROUTING ACCEPT [12308944:7722398683] -A PREROUTING -i eth0 -j MARK --set-mark 0x9 COMMIT # Completed on Sun Jan 3 15:23:59 2010 # Generated by iptables-save v1.3.5 on Sun Jan 3 15:23:59 2010 *filter :INPUT ACCEPT [379753:49502640] :FORWARD ACCEPT [11855492:7632198223] :OUTPUT ACCEPT [386465:36820058] :RH-Firewall-1-INPUT - [0:0] COMMIT # Completed on Sun Jan 3 15:23:59 2010
ip ro sh 輸出:
68.168.248.39 dev venet0 scope link 68.168.248.38 dev venet0 scope link 68.168.248.37 dev venet0 scope link 68.168.248.36 dev venet0 scope link 68.168.248.35 dev venet0 scope link 68.168.248.34 dev venet0 scope link 68.168.248.33 dev venet0 scope link 68.168.248.40 dev venet0 scope link 208.89.162.96/27 dev eth0 proto kernel scope link src 208.89.162.114 169.254.0.0/16 dev eth0 scope link default via 208.89.162.97 dev eth0
http://wiki.openvz.org/Differences_between_venet_and_veth
確保您為訪客使用乙太網橋接,而不是“主機級別的 nat”
你是在你的容器中反向 NAT,還是其他一些奇怪的詭計?
我自己在工作中看到了這一點,因為我們有基於 Piranha 的 Web 負載均衡器在工作,所以當一個請求來自公共 IP 時,我 NAT 到我的 Web 伺服器,而不是將它們暴露給 Internet