我在 qemu 中設定了 2 個虛擬機器。其中 1 個虛擬機器 (VM1) 具有到 Internet 的連結和到另一個虛擬機器 (VM2) 的連結。在 VM1 上,我在網路效能(WAN)方面獲得了良好的結果:
Connecting to host iperf.xxx, port 5201
[ 5] local xxx port 40826 connected to xxx port 5201
[ 7] local xxx port 40828 connected to xxx port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-10.00 sec 353 MBytes 296 Mbits/sec 337 93.3 KBytes
[ 7] 0.00-10.00 sec 359 MBytes 301 Mbits/sec 339 122 KBytes
[SUM] 0.00-10.00 sec 712 MBytes 597 Mbits/sec 676
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 353 MBytes 296 Mbits/sec 337 sender
[ 5] 0.00-10.00 sec 353 MBytes 296 Mbits/sec receiver
[ 7] 0.00-10.00 sec 359 MBytes 301 Mbits/sec 339 sender
[ 7] 0.00-10.00 sec 358 MBytes 300 Mbits/sec receiver
[SUM] 0.00-10.00 sec 712 MBytes 597 Mbits/sec 676 sender
[SUM] 0.00-10.00 sec 711 MBytes 596 Mbits/sec receiver
在 VM1 上,我在 Sysctl 中啟用了 IpForward,並且 VM2 有到 VM1 的預設路由。但是當在 VM2 上執行相同的 iperf 測試時,我得到以下結果:
Connecting to host iperf.xxx, port 5201
[ 5] local 10.5.5.2 port 53188 connected to xxx port 5201
[ 7] local 10.5.5.2 port 53190 connected to xxx port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-10.01 sec 631 KBytes 516 Kbits/sec 6 1.41 KBytes
[ 7] 0.00-10.01 sec 731 KBytes 598 Kbits/sec 20 1.41 KBytes
[SUM] 0.00-10.01 sec 1.33 MBytes 1.11 Mbits/sec 26
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.01 sec 631 KBytes 516 Kbits/sec 6 sender
[ 5] 0.00-10.01 sec 281 KBytes 230 Kbits/sec receiver
[ 7] 0.00-10.01 sec 731 KBytes 598 Kbits/sec 20 sender
[ 7] 0.00-10.01 sec 431 KBytes 353 Kbits/sec receiver
[SUM] 0.00-10.01 sec 1.33 MBytes 1.11 Mbits/sec 26 sender
[SUM] 0.00-10.01 sec 713 KBytes 583 Kbits/sec receiver
正如您所看到的,這是一個非常大的差異。作為自然反應,我在 VM1(伺服器)和 VM2(客戶端)之間啟動了 iperf,結果如下:
Connecting to host 10.5.5.1, port 5201
[ 5] local 10.5.5.2 port 49408 connected to 10.5.5.1 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 1.01 MBytes 8.46 Mbits/sec 31 1.41 KBytes
[ 5] 1.00-2.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes
[ 5] 2.00-3.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 3.00-4.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes
[ 5] 4.00-5.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 5.00-6.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 6.00-7.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes
[ 5] 7.00-8.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 8.00-9.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 9.00-10.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 1.01 MBytes 847 Kbits/sec 34 sender
[ 5] 0.00-10.00 sec 523 KBytes 429 Kbits/sec receiver
我似乎資料包在建立後就被丟棄了(?),因為第一秒。一切都很好,但之後連接似乎就斷了。
我目前別無選擇,甚至接受了 VM1 上防火牆中的所有流量。iptables -nvL --line-numbersVM1 上的輸出:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 602K 34M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
2 2428K 275M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 1 84 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 6 360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5201
5 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 ctstate NEW
6 5 308 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 ctstate NEW
7 3 140 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 flags:0x17/0x02 ctstate NEW
8 132 5288 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 593 24128 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp reject-with tcp-reset
10 81 24010 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
11 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5201
12 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5201
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 137K 298M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
2 1758 106K ACCEPT tcp -- * * 0.0.0.0/0 10.5.5.2 tcp dpt:22
3 97425 322M ACCEPT all -- * enp1s5 0.0.0.0/0 10.5.5.0/24 ctstate RELATED,ESTABLISHED
4 41400 6022K ACCEPT all -- enp1s5 * 10.5.5.0/24 0.0.0.0/0
5 0 0 ACCEPT all -- enp1s5 enp1s5 0.0.0.0/0 0.0.0.0/0
6 0 0 REJECT all -- enp1s5 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
7 0 0 REJECT all -- * enp1s5 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 383K 2483M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
和 nat 表iptables -t nat -nvL --line-numbers:
Chain PREROUTING (policy ACCEPT 2246 packets, 141K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT tcp -- * * 0.0.0.0/0 xxx tcp dpt:2243 to:10.5.5.2:22
2 1 64 DNAT tcp -- * * 0.0.0.0/0 xxx tcp dpt:2246 to:10.5.5.2:22
Chain INPUT (policy ACCEPT 1330 packets, 77280 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 355 packets, 18693 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 949 packets, 42477 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN all -- * * 10.5.5.0/24 224.0.0.0/24
2 0 0 RETURN all -- * * 10.5.5.0/24 255.255.255.255
3 242 15138 MASQUERADE all -- * * 10.5.5.0/24 !10.5.5.0/24
(順便說一句,這是在 vm1 上啟用 2 個連接埠轉送到 vm2 上的連接埠 22 的情況)
正如我所說,我別無選擇。您對如何繼續進一步排除故障有什麼建議嗎?