我的主機網路介面有兩個 IP。目前,我正在運行我的虛擬機路由的網路。
public主機的網路介面是中區域的成員firewalld,同時具有向前和化裝舞會已啟用。
透過前面描述的設置,VM 能夠連接到 Internet,並且我可以使用 的 向 VM 新增連接埠firewalld轉送--add-forward-port。
但是,現在我想更改其中一台虛擬機器的出口 IP(即偽裝的到)到我的主機網路介面中可用的另一個IP。
我嘗試SNAT為我的規則添加一條規則,nftables因為firewalld它不支援它。我使用的命令是nft add rule nat POSTROUTING snat to ip saddr map { <VM's IP> : <public ip> },這會導致虛擬機器與 Internet 斷開連接,但仍能夠透過 中設定的連接埠轉送進行連接firewalld。
我在谷歌上搜尋了這件事,但沒有找到太多關於這方面的資訊。
以下是一些配置。
預設公用 IP 被編輯為10.0.0.1,輔助公用 IP 被編輯為10.0.0.2。
VM 1 的 NAT IP 被編輯為192.168.122.1,VM 2 的 NAT IP 被編輯為192.168.122.2。
防火牆D
libvirt (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: virbr0
sources:
services: custom--ms-wbt-server-ms-wbt-server dhcp dhcpv6 dns ssh tftp
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0f0
sources:
services: cockpit dhcpv6-client libvirt libvirt-tls mdns ssh steam-streaming vnc-server
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="10.0.0.2" forward-port port="33412" protocol="tcp" to-port="3389" to-addr="192.168.122.2" # another public ip is the ip that i want to change to
rule family="ipv4" destination address="10.0.0.1" forward-port port="33411" protocol="udp" to-port="3389" to-addr="192.168.122.1" # default public ip is the default outlet ip
rule family="ipv4" destination address="10.0.0.1" forward-port port="33411" protocol="tcp" to-port="3389" to-addr="192.168.122.1"
rule family="ipv4" destination address="10.0.0.2" forward-port port="33412" protocol="udp" to-port="3389" to-addr="192.168.122.2"
維爾什
<network connections='2'>
<name>default</name>
<uuid>(network uuid)</uuid>
<forward mode='route'/>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='<mac address>'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
ip addr
enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether <mac address> brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd <broadcast addr> scope global noprefixroute enp1s0f0
valid_lft forever preferred_lft forever
inet 10.0.0.2/25 brd <broadcast addr> scope global noprefixroute enp1s0f0
valid_lft forever preferred_lft forever
ip route
default via <default public ip gateway> dev enp1s0f0 proto static metric 100
<default public ip subnet> dev enp1s0f0 proto kernel scope link src 10.0.0.1 metric 100
<secondary public ip subnet> dev enp1s0f0 proto kernel scope link src 10.0.0.2 metric 100
<virsh network subnet> dev virbr0 proto kernel scope link src 192.168.122.1
我的伺服器正在運行Fedora 37和firewalld 1.2.2。nftables 1.0.4