Iptables

libvirt / KVM:將 ssl 轉發到 VM 會破壞 VM 上的 Internet

  • June 23, 2018

我的 qemu 鉤子腳本如下所示:

#!/bin/bash

# IMPORTANT: Change the "VM NAME" string to match your actual VM Name.
# In order to create rules to other VMs, just duplicate the below block and configure
# it accordingly.
if [ "${1}" = "win2k16" ]; then

  # Update the following variables to fit your setup
  GUEST_IP=192.168.122.100
  GUEST_PORT=3389
  HOST_PORT=49305

  if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
       /sbin/iptables -D FORWARD -o virbr0 -d  $GUEST_IP -j ACCEPT
       /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
  fi
  if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
       /sbin/iptables -I FORWARD -o virbr0 -d  $GUEST_IP -j ACCEPT
       /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
  fi
fi

if [ "${1}" = "win2k16" ]; then

  # Update the following variables to fit your setup
  GUEST_IP=192.168.122.100
  GUEST_PORT=25
  HOST_PORT=25

  if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
       /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
  fi
  if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
       /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
  fi
fi

if [ "${1}" = "win2k16" ]; then

  # Update the following variables to fit your setup
  GUEST_IP=192.168.122.100
  GUEST_PORT=443
  HOST_PORT=443

  if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
       /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
  fi
  if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
       /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
  fi
fi

我現在的問題是,如果我將 SSL(埠 443)轉發到我的 Windows 虛擬機,在 Windows 虛擬機上我只能通過 https 訪問Google,我無法打開任何其他使用 https 的網頁。http 工作正常。在鉤子腳本中刪除 443 轉發的行時,VM 中的網際網路再次適用於 https 頁面。我在這裡想念什麼?

我自己解決了。

我的eth0介面只有一個外部IP,所以我加了“-d

$$ External IP $$/32" 現在它工作正常。 這條線看起來像這樣

/sbin/iptables -t nat -A PREROUTING -p tcp -d [external IP]/32 --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT

引用自:https://serverfault.com/questions/917884

相關問答

Iptables

如何防止 libvirt 為訪客 NAT 網路添加 iptables 規則?

  • March 26, 2022
檢視問答
Iptables

使用 nat 進行 libvirt 和網路過濾 - iptables 覆蓋

  • January 3, 2019
檢視問答
Iptables

libvirt 和主機防火牆

  • January 27, 2015
檢視問答
Iptables

libvirt vm 無法連接到 smtp

  • June 10, 2013
檢視問答
Centos

設置主機防火牆,以便虛擬機從 dnsmasq 獲取動態 IP

  • December 6, 2009
檢視問答
Kvm-Virtualization

了解 VirtManager (LibVirt) 的目前/最大分配

  • November 12, 2022
檢視問答