You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users-cn@cloudstack.apache.org by 谢福平 <75...@qq.com> on 2014/05/15 03:42:18 UTC
主机防火墙导致虚拟机不通
操作步骤
1.虚拟机正常,能ping通
2.新建虚拟机,如果虚拟机的宿主机为A
3.主机A上的原有虚拟机ping不通,新建的虚拟机正常
4.关闭主机防火墙,A上所有虚拟机都能ping通
5.过一段时间,A上防火墙自动起来,所有虚拟机也能正常ping通
总结就是,只有新建虚拟机时,新虚拟机所在主机上的原虚拟机会ping不通,新建的虚拟机正常。
查看主机上的防火墙状态如下:
[root@iad-kvm-1 ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
2 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
3 DROP all -- 0.0.0.0/0 0.0.0.0/0
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain BF-br-guest (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 BF-br-guest-IN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-in --physdev-is-bridged
3 BF-br-guest-OUT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-out --physdev-is-bridged
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out eth1 --physdev-is-bridged
Chain BF-br-guest-IN (1 references)
num target prot opt source destination
1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
Chain BF-br-guest-OUT (1 references)
num target prot opt source destination
1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet6 --physdev-is-bridged
Chain i-2-505-VM (1 references)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535 state NEW
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535 state NEW
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-505-VM-eg (1 references)
num target prot opt source destination
1 RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535 state NEW
2 RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535 state NEW
3 RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-505-def (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged udp spt:68 dpt:67
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet6 --physdev-is-bridged udp spt:67 dpt:68
4 RETURN udp -- 10.5.26.96 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged udp dpt:53
5 i-2-505-VM-eg all -- 10.5.26.96 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
6 i-2-505-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet6 --physdev-is-bridged
回复:主机防火墙导致虚拟机不通
Posted by Adagio <68...@qq.com>.
正在纠结这个网络,步骤如下:
1,cs4.3,新建了一个带source NAT,Port forwarding的基于共享的网络方案,
2,在此方案上建立了一个共享网络,
3,在此共享网络上创建了虚拟机,同时,系统自动创建了VR,VR获取public IP。
问题:VR能ping 通外网,同一网段的虚拟机也能ping VR, VR也能ping通虚拟机,但虚拟机ping 不通外网.
也改了网络的防火墙规则,加入了0.0.0.0/0,但VM还是不能ping外网。
同时,基于系统自带的sharenetwork建立的虚拟机就能ping 通外网,
哎,搞不定。。。。
另外,在创建zone时,填写的公共IP分配给了system帐号,再给此部分IP添加帐号时,就报已经分配。。这个怎么更改?因为在端口转发设置里,要设置公共IP转发到的虚拟机,但创建的虚拟机没有system帐户的,,,
哎,这个也搞不定,,
请大神们指点一二。。。。
------------------ 原始邮件 ------------------
发件人: "谢福平";<75...@qq.com>;
发送时间: 2014年5月15日(星期四) 上午9:42
收件人: "users-cn"<us...@cloudstack.apache.org>;
主题: 主机防火墙导致虚拟机不通
操作步骤
1.虚拟机正常,能ping通
2.新建虚拟机,如果虚拟机的宿主机为A
3.主机A上的原有虚拟机ping不通,新建的虚拟机正常
4.关闭主机防火墙,A上所有虚拟机都能ping通
5.过一段时间,A上防火墙自动起来,所有虚拟机也能正常ping通
总结就是,只有新建虚拟机时,新虚拟机所在主机上的原虚拟机会ping不通,新建的虚拟机正常。
查看主机上的防火墙状态如下:
[root@iad-kvm-1 ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
2 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
3 DROP all -- 0.0.0.0/0 0.0.0.0/0
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain BF-br-guest (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 BF-br-guest-IN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-in --physdev-is-bridged
3 BF-br-guest-OUT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-out --physdev-is-bridged
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out eth1 --physdev-is-bridged
Chain BF-br-guest-IN (1 references)
num target prot opt source destination
1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
Chain BF-br-guest-OUT (1 references)
num target prot opt source destination
1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet6 --physdev-is-bridged
Chain i-2-505-VM (1 references)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535 state NEW
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535 state NEW
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-505-VM-eg (1 references)
num target prot opt source destination
1 RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535 state NEW
2 RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535 state NEW
3 RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-505-def (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged udp spt:68 dpt:67
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet6 --physdev-is-bridged udp spt:67 dpt:68
4 RETURN udp -- 10.5.26.96 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged udp dpt:53
5 i-2-505-VM-eg all -- 10.5.26.96 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
6 i-2-505-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet6 --physdev-is-bridged
回复:答复: 主机防火墙导致虚拟机不通
Posted by 谢福平 <75...@qq.com>.
4.0.2
KVM虚拟主机
------------------ 原始邮件 ------------------
发件人: "zhangyan";<zy...@neusoft.com>;
发送时间: 2014年5月16日(星期五) 上午10:06
收件人: "users-cn"<us...@cloudstack.apache.org>;
主题: 答复: 主机防火墙导致虚拟机不通
这是cloudstack什么版本,哪种虚拟化类型?
-----邮件原件-----
发件人: 谢福平 [mailto:754282701@qq.com]
发送时间: 2014年5月15日 9:42
收件人: users-cn
主题: 主机防火墙导致虚拟机不通
操作步骤
1.虚拟机正常,能ping通
2.新建虚拟机,如果虚拟机的宿主机为A
3.主机A上的原有虚拟机ping不通,新建的虚拟机正常
4.关闭主机防火墙,A上所有虚拟机都能ping通
5.过一段时间,A上防火墙自动起来,所有虚拟机也能正常ping通
总结就是,只有新建虚拟机时,新虚拟机所在主机上的原虚拟机会ping不通,新建的
虚拟机正常。
查看主机上的防火墙状态如下:
[root@iad-kvm-1 ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-is-bridged
2 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-is-bridged
3 DROP all -- 0.0.0.0/0 0.0.0.0/0
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain BF-br-guest (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 BF-br-guest-IN all -- 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-is-in --physdev-is-bridged
3 BF-br-guest-OUT all -- 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-is-out --physdev-is-bridged
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out eth1 --physdev-is-bridged
Chain BF-br-guest-IN (1 references)
num target prot opt source destination
1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet6 --physdev-is-bridged
Chain BF-br-guest-OUT (1 references)
num target prot opt source destination
1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vnet6 --physdev-is-bridged
Chain i-2-505-VM (1 references)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:1:65535 state NEW
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:1:65535 state NEW
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-505-VM-eg (1 references)
num target prot opt source destination
1 RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:1:65535 state NEW
2 RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:1:65535 state NEW
3 RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-505-def (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet6 --physdev-is-bridged udp spt:68 dpt:67
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vnet6 --physdev-is-bridged udp spt:67 dpt:68
4 RETURN udp -- 10.5.26.96 0.0.0.0/0 PHYSDEV
match --physdev-in vnet6 --physdev-is-bridged udp dpt:53
5 i-2-505-VM-eg all -- 10.5.26.96 0.0.0.0/0
PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
6 i-2-505-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vnet6 --physdev-is-bridged
---------------------------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s)
is intended only for the use of the intended recipient and may be confidential and/or privileged of
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of this communication is
not the intended recipient, unauthorized use, forwarding, printing, storing, disclosure or copying
is strictly prohibited, and may be unlawful.If you have received this communication in error,please
immediately notify the sender by return e-mail, and delete the original message and all copies from
your system. Thank you.
---------------------------------------------------------------------------------------------------
答复: 主机防火墙导致虚拟机不通
Posted by zhangyan <zy...@neusoft.com>.
这是cloudstack什么版本,哪种虚拟化类型?
-----邮件原件-----
发件人: 谢福平 [mailto:754282701@qq.com]
发送时间: 2014年5月15日 9:42
收件人: users-cn
主题: 主机防火墙导致虚拟机不通
操作步骤
1.虚拟机正常,能ping通
2.新建虚拟机,如果虚拟机的宿主机为A
3.主机A上的原有虚拟机ping不通,新建的虚拟机正常
4.关闭主机防火墙,A上所有虚拟机都能ping通
5.过一段时间,A上防火墙自动起来,所有虚拟机也能正常ping通
总结就是,只有新建虚拟机时,新虚拟机所在主机上的原虚拟机会ping不通,新建的
虚拟机正常。
查看主机上的防火墙状态如下:
[root@iad-kvm-1 ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-is-bridged
2 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-is-bridged
3 DROP all -- 0.0.0.0/0 0.0.0.0/0
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain BF-br-guest (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 BF-br-guest-IN all -- 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-is-in --physdev-is-bridged
3 BF-br-guest-OUT all -- 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-is-out --physdev-is-bridged
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out eth1 --physdev-is-bridged
Chain BF-br-guest-IN (1 references)
num target prot opt source destination
1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet6 --physdev-is-bridged
Chain BF-br-guest-OUT (1 references)
num target prot opt source destination
1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vnet6 --physdev-is-bridged
Chain i-2-505-VM (1 references)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:1:65535 state NEW
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:1:65535 state NEW
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-505-VM-eg (1 references)
num target prot opt source destination
1 RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:1:65535 state NEW
2 RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:1:65535 state NEW
3 RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-505-def (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet6 --physdev-is-bridged udp spt:68 dpt:67
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vnet6 --physdev-is-bridged udp spt:67 dpt:68
4 RETURN udp -- 10.5.26.96 0.0.0.0/0 PHYSDEV
match --physdev-in vnet6 --physdev-is-bridged udp dpt:53
5 i-2-505-VM-eg all -- 10.5.26.96 0.0.0.0/0
PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
6 i-2-505-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vnet6 --physdev-is-bridged
---------------------------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s)
is intended only for the use of the intended recipient and may be confidential and/or privileged of
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of this communication is
not the intended recipient, unauthorized use, forwarding, printing, storing, disclosure or copying
is strictly prohibited, and may be unlawful.If you have received this communication in error,please
immediately notify the sender by return e-mail, and delete the original message and all copies from
your system. Thank you.
---------------------------------------------------------------------------------------------------
Re: 主机防火墙导致虚拟机不通
Posted by "linuxbqj@gmail.com" <li...@gmail.com>.
你用的基本网络模式还是高级网络模式
几台设备,
2014-05-15 9:42 GMT+08:00 谢福平 <75...@qq.com>:
> 操作步骤
> 1.虚拟机正常,能ping通
> 2.新建虚拟机,如果虚拟机的宿主机为A
> 3.主机A上的原有虚拟机ping不通,新建的虚拟机正常
> 4.关闭主机防火墙,A上所有虚拟机都能ping通
> 5.过一段时间,A上防火墙自动起来,所有虚拟机也能正常ping通
>
> 总结就是,只有新建虚拟机时,新虚拟机所在主机上的原虚拟机会ping不通,新建的虚拟机正常。
> 查看主机上的防火墙状态如下:
> [root@iad-kvm-1 ~]# service iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
> 1 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
> 2 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
> 3 DROP all -- 0.0.0.0/0 0.0.0.0/0
> 4 DROP all -- 0.0.0.0/0 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
> Chain BF-br-guest (2 references)
> num target prot opt source destination
> 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 2 BF-br-guest-IN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-in --physdev-is-bridged
> 3 BF-br-guest-OUT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-out --physdev-is-bridged
> 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out eth1 --physdev-is-bridged
> Chain BF-br-guest-IN (1 references)
> num target prot opt source destination
> 1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
> Chain BF-br-guest-OUT (1 references)
> num target prot opt source destination
> 1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet6 --physdev-is-bridged
> Chain i-2-505-VM (1 references)
> num target prot opt source destination
> 1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535 state NEW
> 2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535 state NEW
> 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
> 4 DROP all -- 0.0.0.0/0 0.0.0.0/0
> Chain i-2-505-VM-eg (1 references)
> num target prot opt source destination
> 1 RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535 state NEW
> 2 RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535 state NEW
> 3 RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
> 4 DROP all -- 0.0.0.0/0 0.0.0.0/0
> Chain i-2-505-def (2 references)
> num target prot opt source destination
> 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged udp spt:68 dpt:67
> 3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet6 --physdev-is-bridged udp spt:67 dpt:68
> 4 RETURN udp -- 10.5.26.96 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged udp dpt:53
> 5 i-2-505-VM-eg all -- 10.5.26.96 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
> 6 i-2-505-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet6 --physdev-is-bridged
--
白清杰 (Born Bai)
北京开源愿景信息技术有限公司
Mail: linuxbqj@gmail.com
回复: 主机防火墙导致虚拟机不通
Posted by "liufei68886@gmail.com" <li...@gmail.com>.
这样操作是有问题的,一旦你的物理主机需要重启,重启之后,其上建立的虚拟机一旦关闭,就再也启动不了了,因为它的很多端口是依赖iptables来配置的。正确的做法是需要在CS内部配置安全组的规则。
liufei68886@gmail.com
发件人: 谢福平
发送时间: 2014-05-15 09:42
收件人: users-cn
主题: 主机防火墙导致虚拟机不通
操作步骤
1.虚拟机正常,能ping通
2.新建虚拟机,如果虚拟机的宿主机为A
3.主机A上的原有虚拟机ping不通,新建的虚拟机正常
4.关闭主机防火墙,A上所有虚拟机都能ping通
5.过一段时间,A上防火墙自动起来,所有虚拟机也能正常ping通
总结就是,只有新建虚拟机时,新虚拟机所在主机上的原虚拟机会ping不通,新建的虚拟机正常。
查看主机上的防火墙状态如下:
[root@iad-kvm-1 ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
2 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
3 DROP all -- 0.0.0.0/0 0.0.0.0/0
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain BF-br-guest (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 BF-br-guest-IN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-in --physdev-is-bridged
3 BF-br-guest-OUT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-out --physdev-is-bridged
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out eth1 --physdev-is-bridged
Chain BF-br-guest-IN (1 references)
num target prot opt source destination
1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
Chain BF-br-guest-OUT (1 references)
num target prot opt source destination
1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet6 --physdev-is-bridged
Chain i-2-505-VM (1 references)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535 state NEW
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535 state NEW
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-505-VM-eg (1 references)
num target prot opt source destination
1 RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535 state NEW
2 RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535 state NEW
3 RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-505-def (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged udp spt:68 dpt:67
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet6 --physdev-is-bridged udp spt:67 dpt:68
4 RETURN udp -- 10.5.26.96 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged udp dpt:53
5 i-2-505-VM-eg all -- 10.5.26.96 0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
6 i-2-505-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnet6 --physdev-is-bridged