win10 172.16.10.32 /24 可以通路外網
centos 172.16.10.25 /24 機器網卡問題無法通路 外網
主控端 172.16.10.21 /24
1、 找到虛拟機對應的虛拟鍊網卡(vnic4.0)
2、 找到轉發(FORWARD)鍊路中的對應引用(sg-default)的
172.16.10.21/24
指令
iptables –N 建立新的鍊路規則
iptables -N vnic4.0-in(虛拟網卡名-in)
iptables -N vnic4.0-out (虛拟網卡名-out)
iptables -A sg-default -m physdev --physdev-out vnic4.0 --physdev-is-bridged -j vnic4.0-in
實體裝置出physdev --physdev-in 到 虛拟網卡vnic4.0 實體網卡模式--physdev-is-bridged –j 應用于vnic4.0-int 鍊路
iptables -A sg-default -m physdev --physdev-in vnic4.0 --physdev-is-bridged -j vnic4.0-out
在sg-default 建立一條規則
實體裝置出physdev --physdev-in 到 虛拟網卡vnic4.0 實體網卡模式--physdev-is-bridged –j 應用于vnic4.0-out 鍊路
如果轉發鍊路FORWARD 沒有對應的轉發規則
建立連結
Iptables –N sg-default
建立鍊加入轉發表iptables -A FORWARD -m physdev --physdev-is-bridged -j sg-cc
[root@172-16-10-28 qemu]# iptables -nL
Chain FORWARD (policy ACCEPT)
target prot opt source destination
sg-default all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
Iptables –N sg-default
iptables -A FORWARD -m physdev --physdev-is-bridged -j sg-default
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain sg-default (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:68 dpt:67
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:67 dpt:68
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp dpt:53
vnic4.0-in all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnic4.0 --physdev-is-bridged
vnic4.0-out all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnic4.0 --physdev-is-bridged
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
iptables -A sg-default -m physdev --physdev-out vnic4.0 --physdev-is-bridged -j vnic4.0-in
iptables -A sg-default -m physdev --physdev-in vnic4.0 --physdev-is-bridged -j vnic4.0-out
Chain vm-10-vnc (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 172.16.10.0/24
REJECT all -- 0.0.0.0/0 !172.16.10.0/24 reject-with icmp-host-prohibited
Chain vm-4-vnc (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 172.16.10.0/24
REJECT all -- 0.0.0.0/0 !172.16.10.0/24 reject-with icmp-host-prohibited
Chain vnic4.0-in (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
iptables -A vnic4.0-in -j DROP
Chain vnic4.0-out (1 references)
target prot opt source destination
DROP all -- 172.16.10.0/24 172.16.10.0/24
RETURN all -- 0.0.0.0/0 0.0.0.0/0
iptables -A vnic4.0-out -s 172.16.10.0/24 -d 172.16.10.0/24 -j DROP
iptables -A vnic4.0-out -j RETURN
536 2020-11-27 23:16:50 iptables -X vnic4.0-in
537 2020-11-27 23:17:04 iptables -X vnic4.0-out
Chain FORWARD (policy ACCEPT)
target prot opt source destination
sg-default all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain sg-default (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:68 dpt:67
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:67 dpt:68
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp dpt:53
vnic4.0-in all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnic4.0 --physdev-is-bridged
vnic4.0-out all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnic4.0 --physdev-is-bridged
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain vm-10-vnc (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 172.16.10.0/24
REJECT all -- 0.0.0.0/0 !172.16.10.0/24 reject-with icmp-host-prohibited
Chain vm-4-vnc (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 172.16.10.0/24
REJECT all -- 0.0.0.0/0 !172.16.10.0/24 reject-with icmp-host-prohibited
Chain vnic4.0-in (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain vnic4.0-out (1 references)