win10 172.16.10.32 /24 可以访问外网
centos 172.16.10.25 /24 机器网卡问题无法访问 外网
宿主机 172.16.10.21 /24
1、 找到虚拟机对应的虚拟链网卡(vnic4.0)
2、 找到转发(FORWARD)链路中的对应引用(sg-default)的
172.16.10.21/24
命令
iptables –N 创建新的链路规则
iptables -N vnic4.0-in(虚拟网卡名-in)
iptables -N vnic4.0-out (虚拟网卡名-out)
iptables -A sg-default -m physdev --physdev-out vnic4.0 --physdev-is-bridged -j vnic4.0-in
物理设备出physdev --physdev-in 到 虚拟网卡vnic4.0 物理网卡模式--physdev-is-bridged –j 应用于vnic4.0-int 链路
iptables -A sg-default -m physdev --physdev-in vnic4.0 --physdev-is-bridged -j vnic4.0-out
在sg-default 新建一条规则
物理设备出physdev --physdev-in 到 虚拟网卡vnic4.0 物理网卡模式--physdev-is-bridged –j 应用于vnic4.0-out 链路
如果转发链路FORWARD 没有对应的转发规则
新建链接
Iptables –N sg-default
新建链加入转发表iptables -A FORWARD -m physdev --physdev-is-bridged -j sg-cc
[root@172-16-10-28 qemu]# iptables -nL
Chain FORWARD (policy ACCEPT)
target prot opt source destination
sg-default all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
Iptables –N sg-default
iptables -A FORWARD -m physdev --physdev-is-bridged -j sg-default
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain sg-default (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:68 dpt:67
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:67 dpt:68
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp dpt:53
vnic4.0-in all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnic4.0 --physdev-is-bridged
vnic4.0-out all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnic4.0 --physdev-is-bridged
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
iptables -A sg-default -m physdev --physdev-out vnic4.0 --physdev-is-bridged -j vnic4.0-in
iptables -A sg-default -m physdev --physdev-in vnic4.0 --physdev-is-bridged -j vnic4.0-out
Chain vm-10-vnc (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 172.16.10.0/24
REJECT all -- 0.0.0.0/0 !172.16.10.0/24 reject-with icmp-host-prohibited
Chain vm-4-vnc (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 172.16.10.0/24
REJECT all -- 0.0.0.0/0 !172.16.10.0/24 reject-with icmp-host-prohibited
Chain vnic4.0-in (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
iptables -A vnic4.0-in -j DROP
Chain vnic4.0-out (1 references)
target prot opt source destination
DROP all -- 172.16.10.0/24 172.16.10.0/24
RETURN all -- 0.0.0.0/0 0.0.0.0/0
iptables -A vnic4.0-out -s 172.16.10.0/24 -d 172.16.10.0/24 -j DROP
iptables -A vnic4.0-out -j RETURN
536 2020-11-27 23:16:50 iptables -X vnic4.0-in
537 2020-11-27 23:17:04 iptables -X vnic4.0-out
Chain FORWARD (policy ACCEPT)
target prot opt source destination
sg-default all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain sg-default (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:68 dpt:67
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:67 dpt:68
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp dpt:53
vnic4.0-in all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnic4.0 --physdev-is-bridged
vnic4.0-out all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnic4.0 --physdev-is-bridged
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain vm-10-vnc (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 172.16.10.0/24
REJECT all -- 0.0.0.0/0 !172.16.10.0/24 reject-with icmp-host-prohibited
Chain vm-4-vnc (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 172.16.10.0/24
REJECT all -- 0.0.0.0/0 !172.16.10.0/24 reject-with icmp-host-prohibited
Chain vnic4.0-in (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain vnic4.0-out (1 references)