Iptables
libvirt / KVM:將 ssl 轉發到 VM 會破壞 VM 上的 Internet
我的 qemu 鉤子腳本如下所示:
#!/bin/bash # IMPORTANT: Change the "VM NAME" string to match your actual VM Name. # In order to create rules to other VMs, just duplicate the below block and configure # it accordingly. if [ "${1}" = "win2k16" ]; then # Update the following variables to fit your setup GUEST_IP=192.168.122.100 GUEST_PORT=3389 HOST_PORT=49305 if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then /sbin/iptables -D FORWARD -o virbr0 -d $GUEST_IP -j ACCEPT /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT fi if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then /sbin/iptables -I FORWARD -o virbr0 -d $GUEST_IP -j ACCEPT /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT fi fi if [ "${1}" = "win2k16" ]; then # Update the following variables to fit your setup GUEST_IP=192.168.122.100 GUEST_PORT=25 HOST_PORT=25 if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT fi if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT fi fi if [ "${1}" = "win2k16" ]; then # Update the following variables to fit your setup GUEST_IP=192.168.122.100 GUEST_PORT=443 HOST_PORT=443 if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then /sbin/iptables -t nat -D PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT fi if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then /sbin/iptables -t nat -I PREROUTING -p tcp --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT fi fi
我現在的問題是,如果我將 SSL(埠 443)轉發到我的 Windows 虛擬機,在 Windows 虛擬機上我只能通過 https 訪問Google,我無法打開任何其他使用 https 的網頁。http 工作正常。在鉤子腳本中刪除 443 轉發的行時,VM 中的網際網路再次適用於 https 頁面。我在這裡想念什麼?
我自己解決了。
我的eth0介面只有一個外部IP,所以我加了“-d
$$ External IP $$/32" 現在它工作正常。 這條線看起來像這樣
/sbin/iptables -t nat -A PREROUTING -p tcp -d [external IP]/32 --dport $HOST_PORT -j DNAT --to $GUEST_IP:$GUEST_PORT