Configurar
No servidor host com Debian Bookworm criei duas VMs ( pserver 192.168.122.227 e pagent-1 192.168.122.126) via cockpit (kvm). Ambos estão executando o Debian Bullseye. Estou usando a rede padrão.
Neste ponto tudo funciona, posso acessar a rede de qualquer um deles.
Como não posso usar a ponte por ter apenas um endereço IPv4, queria encaminhar as portas 80 e 443 do host para o pserver . Então eu criei /etc/libvirt/hooks/qemu
no host :
#!/bin/bash
# Source: https://wiki.libvirt.org/Networking.html#Forwarding_Incoming_Connections
if [ "${1}" = "pserver" ]; then
GUEST_IP=192.168.122.227
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -D FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport 80 -j ACCEPT
/sbin/iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to $GUEST_IP:80
/sbin/iptables -D FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport 443 -j ACCEPT
/sbin/iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to $GUEST_IP:443
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
/sbin/iptables -I FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport 80 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to $GUEST_IP:80
/sbin/iptables -I FORWARD -o virbr0 -p tcp -d $GUEST_IP --dport 443 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to $GUEST_IP:443
fi
fi
Meu problema
Após essa alteração, o SSH para ambos os vms do host funciona, mas sudo apt update
no pserver e no pagent-1 falha, pois não pode alcançar deb.debian.org
. No host tudo funciona bem.
No pserver :
sudo apt update
Err:1 http://deb.debian.org/debian bullseye InRelease
Cannot initiate the connection to debian.map.fastlydns.net:80 (2a04:4e42:8e::644). - connect (101: Network is unreachable) Could not connect to debian.map.fastlydns.net:80 (146.75.122.132), connection timed out Cannot initiate the connection to deb.debian.org:80 (2a04:4e42:8e::644). - connect (101: Network is unreachable)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: Failed to fetch http://deb.debian.org/debian/dists/bullseye/InRelease Cannot initiate the connection to debian.map.fastlydns.net:80 (2a04:4e42:8e::644). - connect (101: Network is unreachable) Could not connect to debian.map.fastlydns.net:80 (146.75.122.132), connection timed out Cannot initiate the connection to deb.debian.org:80 (2a04:4e42:8e::644). - connect (101: Network is unreachable)
W: Some index files failed to download. They have been ignored, or old ones used instead.
Posso fazer ping, mas não consigo:
ping deb.debian.org
PING debian.map.fastlydns.net (146.75.122.132) 56(84) bytes of data.
64 bytes from 146.75.122.132 (146.75.122.132): icmp_seq=1 ttl=59 time=5.33 ms
64 bytes from 146.75.122.132 (146.75.122.132): icmp_seq=2 ttl=59 time=5.37 ms
wget http://deb.debian.org/debian/
--2023-11-24 10:52:59-- http://deb.debian.org/debian/
Resolving deb.debian.org (deb.debian.org)... 146.75.122.132, 2a04:4e42:8e::644
Connecting to deb.debian.org (deb.debian.org)|146.75.122.132|:80...
E aí fica preso.
Eu acidentalmente tornei as regras do iptables muito amplas ou talvez substituí algumas regras do iptables?