我有一个混合配置的 Dom0:桥接网络和 NAT 已设置。有一个 NIC 连接到 Internet(还有 3 个未使用)。
这是我的接口文件:
# The primary network interface
iface eth0 inet manual
auto xenbr0
iface xenbr0 inet static
bridge_ports eth0
address 83.149.69.150
gateway 83.149.69.190
netmask 255.255.255.192
iface xenbr0 inet6 static
address 2001:1AF8:3100:A00A:21::0000
netmask 64
gateway 2001:1AF8:3100:A00A::1
这是其中一个 VM (domU) 的 xen 配置文件中的 vif 行:
vif = [ 'ip=83.149.69.154,mac=00:16:3E:5E:96:D7,script=vif-bridge,bridge=xenbr0', 'ip=172.16.1.20,mac=00:16:3E:5E:96:D8' ]
这会在 domU 上产生两个接口:
eth0 Link encap:Ethernet HWaddr 00:16:3e:5e:96:d7
inet addr:83.149.69.154 Bcast:83.149.69.191 Mask:255.255.255.192
inet6 addr: 2001:1af8:3100:a00a:21::4/64 Scope:Global
inet6 addr: fe80::216:3eff:fe5e:96d7/64 Scope:Link
[...]
eth1 Link encap:Ethernet HWaddr 00:16:3e:5e:96:d8
inet addr:172.16.1.20 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::216:3eff:fe5e:96d8/64 Scope:Link
[...]
但是,与这些 VM 建立的任何连接似乎都源自 Dom0(公共)IP。我说的是与 nginx、apache、ssh、openvpn 等的连接。连接客户端始终是83.149.69.150
(= reverse dns: aleph.rootspirit.com
)
例如who
:
# who
root pts/0 2014-06-14 14:47 (aleph.rootspirit.com)
或 openvpn(检查所有83.149.69.150
地址):
OpenVPN CLIENT LIST
Updated,Sat Jun 14 14:51:12 2014
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
broserv,83.149.69.150:49545,356124,137293,Sat Jun 14 14:13:26 2014
pi,83.149.69.150:56293,322082,214456,Sat Jun 14 14:13:35 2014
heartbeat,83.149.69.150:42122,549631,1264272,Sat Jun 14 14:13:26 2014
industry,83.149.69.150:37885,759137,365405,Sat Jun 14 14:13:06 2014
是什么导致了这种奇怪的行为?
编辑:
我有这个iptables
:
iptables -t nat -A POSTROUTING -o xenbr0 -j MASQUERADE
当我删除该行时,它工作正常:
# who
root pts/0 2014-06-14 19:39 (213.219.144.38.adsl.dyn.edpnet.net)
但是,我的仅通过 NAT 运行的 VM 无法再访问 Internet:
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms
iptables:
aleph /etc # iptables -L -nv
Chain INPUT (policy ACCEPT 3321 packets, 5903K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 1677 packets, 117K bytes)
pkts bytes target prot opt in out source destination
14511 3725K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
18653 3752K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 1887 packets, 4659K bytes)
pkts bytes target prot opt in out source destination
aleph /etc # iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 1365 packets, 96941 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:12223 to:172.16.1.1:22
2 124 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:25 to:172.16.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:53 to:172.16.1.1
558 38901 DNAT udp -- * * 0.0.0.0/0 83.149.69.128/26 udp dpt:53 to:172.16.1.1
2 128 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:465 to:172.16.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:4950 to:172.16.1.1
7 420 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:110 to:172.16.1.1
2 104 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:143 to:172.16.1.1
12 720 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:993 to:172.16.1.1
4 208 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:995 to:172.16.1.1
2 104 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:21 to:172.16.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:2121 to:172.16.1.2:21
0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:20 to:172.16.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:4951 to:172.16.1.2
0 0 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpts:50000:51000 to:172.16.1.2
5 300 DNAT tcp -- * * 0.0.0.0/0 83.149.69.128/26 tcp dpt:12222 to:172.16.1.2:22
Chain INPUT (policy ACCEPT 48 packets, 2802 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 58 packets, 3688 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 637 packets, 43589 bytes)
pkts bytes target prot opt in out source destination
1320 94863 MASQUERADE all -- * xenbr0 0.0.0.0/0 0.0.0.0/0
发生这种情况是因为您的 Dom0 没有任何专用网络接口。
您应该为内部和公共 IP 地址设置单独的网桥。
像这样的东西:
然后分别在您的 domU 配置中:
这样,您的 dom0 将在内部网络和公共网络中拥有单独的 IP 地址。
编辑:除了上述配置,使用这个 NAT 规则: