Iptables

libvirt / KVM:將 ssl 轉發到 VM 會破壞 VM 上的 Internet

  • June 23, 2018

我的 qemu 鉤子腳本如下所示:

#!/bin/bash

# IMPORTANT: Change the "VM NAME" string to match your actual VM Name.
# In order to create rules to other VMs, just duplicate the below block and configure
# it accordingly.
if [ "${1}" = "win2k16" ]; then

  # Update the following variables to fit your setup
  GUEST_IP=192.168.122.100
  GUEST_PORT=3389
  HOST_PORT=49305

  if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
       /sbin/iptables -D FORWARD -o virbr0 -d  $GUEST_IP -j ACCEPT
       /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
  fi
  if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
       /sbin/iptables -I FORWARD -o virbr0 -d  $GUEST_IP -j ACCEPT
       /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
  fi
fi

if [ "${1}" = "win2k16" ]; then

  # Update the following variables to fit your setup
  GUEST_IP=192.168.122.100
  GUEST_PORT=25
  HOST_PORT=25

  if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
       /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
  fi
  if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
       /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
  fi
fi

if [ "${1}" = "win2k16" ]; then

  # Update the following variables to fit your setup
  GUEST_IP=192.168.122.100
  GUEST_PORT=443
  HOST_PORT=443

  if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
       /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
  fi
  if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
       /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT
  fi
fi

我現在的問題是,如果我將 SSL(埠 443)轉發到我的 Windows 虛擬機,在 Windows 虛擬機上我只能通過 https 訪問Google,我無法打開任何其他使用 https 的網頁。http 工作正常。在鉤子腳本中刪除 443 轉發的行時,VM 中的網際網路再次適用於 https 頁面。我在這裡想念什麼?

我自己解決了。

我的eth0介面只有一個外部IP,所以我加了“-d

$$ External IP $$/32" 現在它工作正常。 這條線看起來像這樣

/sbin/iptables -t nat -A PREROUTING -p tcp -d [external IP]/32 --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT

引用自:https://serverfault.com/questions/917884