qemu,kvm,vde2-net,iptables,shorewall,NAT
Hallo,
Ich habe nach den Angaben im Debian Wiki, Qemu mit KVM eingerichtet und Netzwerk wird per vde2-net eingerichtet.
NAT habe ich mit Hilfe von Shorewall eingerichtet.
Ich habe jetzt 2 Interfaces:
eth1 welches physisch ist und im Netzwerk 192.168.16.0
mytab ist virtuell und im Netzwerk 10.0.3.0
Nun habe ich das Problem, dass ich zwar von meinen VMs raus nach eth1 komme aber nicht umgekehrt (also z.B mit ping).
Und jetzt bräuchte ich eure Hilfe dem Problem auf den Grund zu gehen:
Hier mal die Config:
root@PCD4BED99318C6:dkoch# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
phy2fw all -- anywhere anywhere
virt2fw all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix "Shorewall:INPUT:DROP:"
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
phy2virt all -- anywhere anywhere
virt2phy all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix "Shorewall:FORWARD:REJECT:"
reject all -- anywhere anywhere [goto]
Chain OUTPUT (policy DROP)
target prot opt source destination
fw2phy all -- anywhere anywhere
fw2virt all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain Broadcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
DROP all -- anywhere anywhere ADDRTYPE match dst-type ANYCAST
DROP all -- anywhere base-address.mcast.net/4
Chain Drop (1 references)
target prot opt source destination
all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */
Broadcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
Invalid all -- anywhere anywhere
DROP udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */
NotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain Invalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID
Chain NotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN
Chain Reject (1 references)
target prot opt source destination
all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */
Broadcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
Invalid all -- anywhere anywhere
reject udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
reject tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */
NotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain dynamic (4 references)
target prot opt source destination
Chain fw2phy (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain fw2virt (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain phy2fw (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere ctstate INVALID,NEW
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain phy2virt (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere ctstate INVALID,NEW
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain reject (8 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain virt2fw (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere ctstate INVALID,NEW
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain virt2phy (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere ctstate INVALID,NEW
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
=====================
root@PCD4BED99318C6:shorewall# cat zones
#
# Shorewall version 4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
phy ipv4
virt ipv4
=====================
root@PCD4BED99318C6:shorewall# cat interfaces
#
# Shorewall version 4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
###############################################################################
FORMAT 1
#ZONE INTERFACE BROADCAST OPTIONS
phy eth1 detect
virt mytap detect
FORMAT 2
#ZONE INTERFACE OPTIONS
======================
cat masq
#
# Shorewall version 4 - Masq file
#
# For information about entries in this file, type "man shorewall-masq"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-masq.html
#
######################################################################################################
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH
# GROUP
eth1 mytap
mytap eth1
=======================
root@PCD4BED99318C6:shorewall# cat rules
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
######################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
--
Daniel Koch
Reply to:
- Prev by Date:
qemu,kvm,vde2-net,iptables,shorewall und NAT
- Next by Date:
Re: IPv6 autoconf (abschalten)
- Previous by thread:
qemu,kvm,vde2-net,iptables,shorewall und NAT
- Next by thread:
Re: Sorry für den doppel post (was Re: qemu,kvm,vde2-net,iptables,shorewall und NAT)
- Index(es):