You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users-cn@cloudstack.apache.org by 谢福平 <75...@qq.com> on 2014/04/29 05:43:49 UTC
虚拟机网络不通
问题描述:
当在集群中新建一个虚拟机时,如果虚拟机分配到了主机A上,那么,主机A上原有的虚拟机会ping不通;
然后将主机A的防火墙关闭,不通的虚拟机就能ping通了。待主机A的防火墙自动起来后,所有的虚拟机也会正常运行,不会出现ping不通的现象。
iptables文件内容如下:
[root@pcs-kvm-3 cloud]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Sat Apr 12 17:52:24 2014
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sat Apr 12 17:52:24 2014
# Generated by iptables-save v1.4.7 on Sat Apr 12 17:52:24 2014
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sat Apr 12 17:52:24 2014
# Generated by iptables-save v1.4.7 on Sat Apr 12 17:52:24 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49152:49216 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 16509 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sat Apr 12 17:52:24 2014
[root@pcs-kvm-3 cloud]#
Re: 回复: 虚拟机网络不通
Posted by "linuxbqj@gmail.com" <li...@gmail.com>.
其他的物理机是不是一样的情况?
建议对关闭防火墙的时候的策略和防火墙自动起来之后的策略进行对比,看下差异
在 2014年4月29日 下午1:53,谢福平 <75...@qq.com> 写道:
> 都是一样的;
>
> 不能换虚拟化,正在使用中
>
>
>
>
> ------------------ 原始邮件 ------------------
> 发件人: "linuxbqj@gmail.com";<li...@gmail.com>;
> 发送时间: 2014年4月29日(星期二) 中午11:59
> 收件人: "users-cn"<us...@cloudstack.apache.org>;
>
> 主题: Re: 虚拟机网络不通
>
>
>
> 每次都是这样吗?创建linux vm和创建windows vm都一样吗?
> 另外有没有换hypervisior试试?
>
> 2014-04-29 11:43 GMT+08:00 谢福平 <75...@qq.com>:
>> 问题描述:
>> 当在集群中新建一个虚拟机时,如果虚拟机分配到了主机A上,那么,主机A上原有的虚拟机会ping不通;
>> 然后将主机A的防火墙关闭,不通的虚拟机就能ping通了。待主机A的防火墙自动起来后,所有的虚拟机也会正常运行,不会出现ping不通的现象。
>> iptables文件内容如下:
>> [root@pcs-kvm-3 cloud]# cat /etc/sysconfig/iptables
>> # Generated by iptables-save v1.4.7 on Sat Apr 12 17:52:24 2014
>> *nat
>> :PREROUTING ACCEPT [0:0]
>> :POSTROUTING ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> COMMIT
>> # Completed on Sat Apr 12 17:52:24 2014
>> # Generated by iptables-save v1.4.7 on Sat Apr 12 17:52:24 2014
>> *mangle
>> :PREROUTING ACCEPT [0:0]
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> :POSTROUTING ACCEPT [0:0]
>> -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
>> COMMIT
>> # Completed on Sat Apr 12 17:52:24 2014
>> # Generated by iptables-save v1.4.7 on Sat Apr 12 17:52:24 2014
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
>> -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
>> -A INPUT -p tcp -m tcp --dport 49152:49216 -j ACCEPT
>> -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
>> -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
>> -A INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
>> -A INPUT -p tcp -m tcp --dport 16509 -j ACCEPT
>> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
>> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
>> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
>> COMMIT
>> # Completed on Sat Apr 12 17:52:24 2014
>> [root@pcs-kvm-3 cloud]#
>
>
>
> --
> 白清杰 (Born Bai)
>
> 北京开源愿景信息技术有限公司
>
> Mail: linuxbqj@gmail.com
--
白清杰 (Born Bai)
北京开源愿景信息技术有限公司
Mail: linuxbqj@gmail.com
回复: 虚拟机网络不通
Posted by 谢福平 <75...@qq.com>.
都是一样的;
不能换虚拟化,正在使用中
------------------ 原始邮件 ------------------
发件人: "linuxbqj@gmail.com";<li...@gmail.com>;
发送时间: 2014年4月29日(星期二) 中午11:59
收件人: "users-cn"<us...@cloudstack.apache.org>;
主题: Re: 虚拟机网络不通
每次都是这样吗?创建linux vm和创建windows vm都一样吗?
另外有没有换hypervisior试试?
2014-04-29 11:43 GMT+08:00 谢福平 <75...@qq.com>:
> 问题描述:
> 当在集群中新建一个虚拟机时,如果虚拟机分配到了主机A上,那么,主机A上原有的虚拟机会ping不通;
> 然后将主机A的防火墙关闭,不通的虚拟机就能ping通了。待主机A的防火墙自动起来后,所有的虚拟机也会正常运行,不会出现ping不通的现象。
> iptables文件内容如下:
> [root@pcs-kvm-3 cloud]# cat /etc/sysconfig/iptables
> # Generated by iptables-save v1.4.7 on Sat Apr 12 17:52:24 2014
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> COMMIT
> # Completed on Sat Apr 12 17:52:24 2014
> # Generated by iptables-save v1.4.7 on Sat Apr 12 17:52:24 2014
> *mangle
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> COMMIT
> # Completed on Sat Apr 12 17:52:24 2014
> # Generated by iptables-save v1.4.7 on Sat Apr 12 17:52:24 2014
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 49152:49216 -j ACCEPT
> -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 16509 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> COMMIT
> # Completed on Sat Apr 12 17:52:24 2014
> [root@pcs-kvm-3 cloud]#
--
白清杰 (Born Bai)
北京开源愿景信息技术有限公司
Mail: linuxbqj@gmail.com
Re: 虚拟机网络不通
Posted by "linuxbqj@gmail.com" <li...@gmail.com>.
每次都是这样吗?创建linux vm和创建windows vm都一样吗?
另外有没有换hypervisior试试?
2014-04-29 11:43 GMT+08:00 谢福平 <75...@qq.com>:
> 问题描述:
> 当在集群中新建一个虚拟机时,如果虚拟机分配到了主机A上,那么,主机A上原有的虚拟机会ping不通;
> 然后将主机A的防火墙关闭,不通的虚拟机就能ping通了。待主机A的防火墙自动起来后,所有的虚拟机也会正常运行,不会出现ping不通的现象。
> iptables文件内容如下:
> [root@pcs-kvm-3 cloud]# cat /etc/sysconfig/iptables
> # Generated by iptables-save v1.4.7 on Sat Apr 12 17:52:24 2014
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> COMMIT
> # Completed on Sat Apr 12 17:52:24 2014
> # Generated by iptables-save v1.4.7 on Sat Apr 12 17:52:24 2014
> *mangle
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> COMMIT
> # Completed on Sat Apr 12 17:52:24 2014
> # Generated by iptables-save v1.4.7 on Sat Apr 12 17:52:24 2014
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 49152:49216 -j ACCEPT
> -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 5900:6100 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 16509 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> COMMIT
> # Completed on Sat Apr 12 17:52:24 2014
> [root@pcs-kvm-3 cloud]#
--
白清杰 (Born Bai)
北京开源愿景信息技术有限公司
Mail: linuxbqj@gmail.com