到桥接 domU 的所有连接都源自 dom0 公共 IP，而不是真实 IP

我有一个混合配置的 Dom0：桥接网络和 NAT 已设置。有一个 NIC 连接到 Internet（还有 3 个未使用）。

这是我的接口文件：

# The primary network interface
iface eth0 inet manual

auto xenbr0
iface xenbr0 inet static
    bridge_ports eth0
    address 83.149.69.150
    gateway 83.149.69.190
    netmask 255.255.255.192

iface xenbr0 inet6 static
    address 2001:1AF8:3100:A00A:21::0000
    netmask 64
    gateway 2001:1AF8:3100:A00A::1

这是其中一个 VM (domU) 的 xen 配置文件中的 vif 行：

vif = [ 'ip=83.149.69.154,mac=00:16:3E:5E:96:D7,script=vif-bridge,bridge=xenbr0', 'ip=172.16.1.20,mac=00:16:3E:5E:96:D8' ]

这会在 domU 上产生两个接口：

eth0      Link encap:Ethernet  HWaddr 00:16:3e:5e:96:d7  
          inet addr:83.149.69.154  Bcast:83.149.69.191  Mask:255.255.255.192
          inet6 addr: 2001:1af8:3100:a00a:21::4/64 Scope:Global
          inet6 addr: fe80::216:3eff:fe5e:96d7/64 Scope:Link
          [...]

eth1      Link encap:Ethernet  HWaddr 00:16:3e:5e:96:d8  
          inet addr:172.16.1.20  Bcast:172.16.255.255  Mask:255.255.0.0
          inet6 addr: fe80::216:3eff:fe5e:96d8/64 Scope:Link
          [...]

但是，与这些 VM 建立的任何连接似乎都源自 Dom0（公共）IP。我说的是与 nginx、apache、ssh、openvpn 等的连接。连接客户端始终是83.149.69.150(= reverse dns: aleph.rootspirit.com)

例如who：

# who
root     pts/0        2014-06-14 14:47 (aleph.rootspirit.com)

或 openvpn（检查所有83.149.69.150地址）：

OpenVPN CLIENT LIST
Updated,Sat Jun 14 14:51:12 2014
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
broserv,83.149.69.150:49545,356124,137293,Sat Jun 14 14:13:26 2014
pi,83.149.69.150:56293,322082,214456,Sat Jun 14 14:13:35 2014
heartbeat,83.149.69.150:42122,549631,1264272,Sat Jun 14 14:13:26 2014
industry,83.149.69.150:37885,759137,365405,Sat Jun 14 14:13:06 2014

是什么导致了这种奇怪的行为？

编辑：

我有这个iptables：

iptables -t nat -A POSTROUTING -o xenbr0 -j MASQUERADE

当我删除该行时，它工作正常：

# who
root     pts/0        2014-06-14 19:39 (213.219.144.38.adsl.dyn.edpnet.net)

但是，我的仅通过 NAT 运行的 VM 无法再访问 Internet：

# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

iptables：

aleph /etc # iptables -L -nv
Chain INPUT (policy ACCEPT 3321 packets, 5903K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 1677 packets, 117K bytes)
 pkts bytes target     prot opt in     out     source               destination         
14511 3725K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-is-bridged
18653 3752K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 1887 packets, 4659K bytes)
 pkts bytes target     prot opt in     out     source               destination         
aleph /etc # iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 1365 packets, 96941 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:12223 to:172.16.1.1:22
    2   124 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:25 to:172.16.1.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:53 to:172.16.1.1
  558 38901 DNAT       udp  --  *      *       0.0.0.0/0            83.149.69.128/26     udp dpt:53 to:172.16.1.1
    2   128 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:465 to:172.16.1.1
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:4950 to:172.16.1.1
    7   420 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:110 to:172.16.1.1
    2   104 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:143 to:172.16.1.1
   12   720 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:993 to:172.16.1.1
    4   208 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:995 to:172.16.1.1
    2   104 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:21 to:172.16.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:2121 to:172.16.1.2:21
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:20 to:172.16.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:4951 to:172.16.1.2
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpts:50000:51000 to:172.16.1.2
    5   300 DNAT       tcp  --  *      *       0.0.0.0/0            83.149.69.128/26     tcp dpt:12222 to:172.16.1.2:22

Chain INPUT (policy ACCEPT 48 packets, 2802 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 58 packets, 3688 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 637 packets, 43589 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1320 94863 MASQUERADE  all  --  *      xenbr0  0.0.0.0/0            0.0.0.0/0