You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users-cn@cloudstack.apache.org by zhangyan <zy...@neusoft.com> on 2014/05/16 04:06:27 UTC
答复: 主机防火墙导致虚拟机不通
这是cloudstack什么版本,哪种虚拟化类型?
-----邮件原件-----
发件人: 谢福平 [mailto:754282701@qq.com]
发送时间: 2014年5月15日 9:42
收件人: users-cn
主题: 主机防火墙导致虚拟机不通
操作步骤
1.虚拟机正常,能ping通
2.新建虚拟机,如果虚拟机的宿主机为A
3.主机A上的原有虚拟机ping不通,新建的虚拟机正常
4.关闭主机防火墙,A上所有虚拟机都能ping通
5.过一段时间,A上防火墙自动起来,所有虚拟机也能正常ping通
总结就是,只有新建虚拟机时,新虚拟机所在主机上的原虚拟机会ping不通,新建的
虚拟机正常。
查看主机上的防火墙状态如下:
[root@iad-kvm-1 ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-is-bridged
2 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-is-bridged
3 DROP all -- 0.0.0.0/0 0.0.0.0/0
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain BF-br-guest (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 BF-br-guest-IN all -- 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-is-in --physdev-is-bridged
3 BF-br-guest-OUT all -- 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-is-out --physdev-is-bridged
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out eth1 --physdev-is-bridged
Chain BF-br-guest-IN (1 references)
num target prot opt source destination
1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet6 --physdev-is-bridged
Chain BF-br-guest-OUT (1 references)
num target prot opt source destination
1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vnet6 --physdev-is-bridged
Chain i-2-505-VM (1 references)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:1:65535 state NEW
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:1:65535 state NEW
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-505-VM-eg (1 references)
num target prot opt source destination
1 RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:1:65535 state NEW
2 RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:1:65535 state NEW
3 RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-505-def (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet6 --physdev-is-bridged udp spt:68 dpt:67
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vnet6 --physdev-is-bridged udp spt:67 dpt:68
4 RETURN udp -- 10.5.26.96 0.0.0.0/0 PHYSDEV
match --physdev-in vnet6 --physdev-is-bridged udp dpt:53
5 i-2-505-VM-eg all -- 10.5.26.96 0.0.0.0/0
PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
6 i-2-505-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vnet6 --physdev-is-bridged
---------------------------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s)
is intended only for the use of the intended recipient and may be confidential and/or privileged of
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of this communication is
not the intended recipient, unauthorized use, forwarding, printing, storing, disclosure or copying
is strictly prohibited, and may be unlawful.If you have received this communication in error,please
immediately notify the sender by return e-mail, and delete the original message and all copies from
your system. Thank you.
---------------------------------------------------------------------------------------------------
回复:答复: 主机防火墙导致虚拟机不通
Posted by 谢福平 <75...@qq.com>.
4.0.2
KVM虚拟主机
------------------ 原始邮件 ------------------
发件人: "zhangyan";<zy...@neusoft.com>;
发送时间: 2014年5月16日(星期五) 上午10:06
收件人: "users-cn"<us...@cloudstack.apache.org>;
主题: 答复: 主机防火墙导致虚拟机不通
这是cloudstack什么版本,哪种虚拟化类型?
-----邮件原件-----
发件人: 谢福平 [mailto:754282701@qq.com]
发送时间: 2014年5月15日 9:42
收件人: users-cn
主题: 主机防火墙导致虚拟机不通
操作步骤
1.虚拟机正常,能ping通
2.新建虚拟机,如果虚拟机的宿主机为A
3.主机A上的原有虚拟机ping不通,新建的虚拟机正常
4.关闭主机防火墙,A上所有虚拟机都能ping通
5.过一段时间,A上防火墙自动起来,所有虚拟机也能正常ping通
总结就是,只有新建虚拟机时,新虚拟机所在主机上的原虚拟机会ping不通,新建的
虚拟机正常。
查看主机上的防火墙状态如下:
[root@iad-kvm-1 ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-is-bridged
2 BF-br-guest all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-is-bridged
3 DROP all -- 0.0.0.0/0 0.0.0.0/0
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain BF-br-guest (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 BF-br-guest-IN all -- 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-is-in --physdev-is-bridged
3 BF-br-guest-OUT all -- 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-is-out --physdev-is-bridged
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out eth1 --physdev-is-bridged
Chain BF-br-guest-IN (1 references)
num target prot opt source destination
1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet6 --physdev-is-bridged
Chain BF-br-guest-OUT (1 references)
num target prot opt source destination
1 i-2-505-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vnet6 --physdev-is-bridged
Chain i-2-505-VM (1 references)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:1:65535 state NEW
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:1:65535 state NEW
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-505-VM-eg (1 references)
num target prot opt source destination
1 RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:1:65535 state NEW
2 RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:1:65535 state NEW
3 RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type
255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-505-def (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet6 --physdev-is-bridged udp spt:68 dpt:67
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vnet6 --physdev-is-bridged udp spt:67 dpt:68
4 RETURN udp -- 10.5.26.96 0.0.0.0/0 PHYSDEV
match --physdev-in vnet6 --physdev-is-bridged udp dpt:53
5 i-2-505-VM-eg all -- 10.5.26.96 0.0.0.0/0
PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
6 i-2-505-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vnet6 --physdev-is-bridged
---------------------------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s)
is intended only for the use of the intended recipient and may be confidential and/or privileged of
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of this communication is
not the intended recipient, unauthorized use, forwarding, printing, storing, disclosure or copying
is strictly prohibited, and may be unlawful.If you have received this communication in error,please
immediately notify the sender by return e-mail, and delete the original message and all copies from
your system. Thank you.
---------------------------------------------------------------------------------------------------