Re: 主机防火墙导致虚拟机不通

linux...@gmail.com Fri, 16 May 2014 09:35:25 -0700

你用的基本网络模式还是高级网络模式
几台设备，

2014-05-15 9:42 GMT+08:00 谢福平 <754282...@qq.com>:
> 操作步骤
>  1.虚拟机正常，能ping通
>  2.新建虚拟机，如果虚拟机的宿主机为A
>  3.主机A上的原有虚拟机ping不通，新建的虚拟机正常
>  4.关闭主机防火墙，A上所有虚拟机都能ping通
>  5.过一段时间，A上防火墙自动起来，所有虚拟机也能正常ping通
>
>  总结就是，只有新建虚拟机时，新虚拟机所在主机上的原虚拟机会ping不通，新建的虚拟机正常。
>  查看主机上的防火墙状态如下：
>  [root@iad-kvm-1 ~]# service iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
>  Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination
> 1    BF-br-guest  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV 
> match --physdev-is-bridged
> 2    BF-br-guest  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV 
> match --physdev-is-bridged
> 3    DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 4    DROP       all  --  0.0.0.0/0            0.0.0.0/0
>  Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
>  Chain BF-br-guest (2 references)
> num  target     prot opt source               destination
> 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
> RELATED,ESTABLISHED
> 2    BF-br-guest-IN  all  --  0.0.0.0/0            0.0.0.0/0           
> PHYSDEV match --physdev-is-in --physdev-is-bridged
> 3    BF-br-guest-OUT  all  --  0.0.0.0/0            0.0.0.0/0           
> PHYSDEV match --physdev-is-out --physdev-is-bridged
> 4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV 
> match --physdev-out eth1 --physdev-is-bridged
>  Chain BF-br-guest-IN (1 references)
> num  target     prot opt source               destination
> 1    i-2-505-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV 
> match --physdev-in vnet6 --physdev-is-bridged
>  Chain BF-br-guest-OUT (1 references)
> num  target     prot opt source               destination
> 1    i-2-505-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV 
> match --physdev-out vnet6 --physdev-is-bridged
>  Chain i-2-505-VM (1 references)
> num  target     prot opt source               destination
> 1    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp 
> dpts:1:65535 state NEW
> 2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
> dpts:1:65535 state NEW
> 3    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 
> 255
> 4    DROP       all  --  0.0.0.0/0            0.0.0.0/0
>  Chain i-2-505-VM-eg (1 references)
> num  target     prot opt source               destination
> 1    RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           udp 
> dpts:1:65535 state NEW
> 2    RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
> dpts:1:65535 state NEW
> 3    RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 
> 255
> 4    DROP       all  --  0.0.0.0/0            0.0.0.0/0
>  Chain i-2-505-def (2 references)
> num  target     prot opt source               destination
> 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
> RELATED,ESTABLISHED
> 2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV 
> match --physdev-in vnet6 --physdev-is-bridged udp spt:68 dpt:67
> 3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV 
> match --physdev-out vnet6 --physdev-is-bridged udp spt:67 dpt:68
> 4    RETURN     udp  --  10.5.26.96           0.0.0.0/0           PHYSDEV 
> match --physdev-in vnet6 --physdev-is-bridged udp dpt:53
> 5    i-2-505-VM-eg  all  --  10.5.26.96           0.0.0.0/0           PHYSDEV 
> match --physdev-in vnet6 --physdev-is-bridged
> 6    i-2-505-VM  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV 
> match --physdev-out vnet6 --physdev-is-bridged




-- 
白清杰 (Born Bai)

北京开源愿景信息技术有限公司

Mail: linux...@gmail.com

Re: 主机防火墙导致虚拟机不通

回复