iptables扩展-转发链

win10 172.16.10.32 /24 可以访问外网​

centos 172.16.10.25 /24 机器网卡问题无法访问 外网​

宿主机 172.16.10.21 /24 ​

1、 找到虚拟机对应的虚拟链网卡（vnic4.0）​

2、 找到转发（FORWARD）链路中的对应引用（sg-default）的​

172.16.10.21/24​

命令​

iptables –N 创建新的链路规则​

iptables -N vnic4.0-in（虚拟网卡名-in）​

iptables -N vnic4.0-out （虚拟网卡名-out）​

iptables -A sg-default -m physdev --physdev-out vnic4.0 --physdev-is-bridged -j vnic4.0-in​

物理设备出physdev --physdev-in 到 虚拟网卡vnic4.0 物理网卡模式--physdev-is-bridged –j 应用于vnic4.0-int 链路​

iptables -A sg-default -m physdev --physdev-in vnic4.0 --physdev-is-bridged -j vnic4.0-out​

在sg-default 新建一条规则​

物理设备出physdev --physdev-in 到 虚拟网卡vnic4.0 物理网卡模式--physdev-is-bridged –j 应用于vnic4.0-out 链路​

如果转发链路FORWARD 没有对应的转发规则​

新建链接​

Iptables –N sg-default​

新建链加入转发表iptables -A FORWARD -m physdev --physdev-is-bridged -j sg-cc​

[root@172-16-10-28 qemu]# iptables -nL​

Chain FORWARD (policy ACCEPT)​

target prot opt source destination ​

sg-default all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged​

Iptables –N sg-default​

iptables -A FORWARD -m physdev --physdev-is-bridged -j sg-default​

Chain OUTPUT (policy ACCEPT)​

target prot opt source destination ​

Chain sg-default (1 references)​

target prot opt source destination ​

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED​

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:68 dpt:67​

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:67 dpt:68​

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp dpt:53​

vnic4.0-in all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnic4.0 --physdev-is-bridged​

vnic4.0-out all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnic4.0 --physdev-is-bridged​

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ​

iptables -A sg-default -m physdev --physdev-out vnic4.0 --physdev-is-bridged -j vnic4.0-in​

iptables -A sg-default -m physdev --physdev-in vnic4.0 --physdev-is-bridged -j vnic4.0-out​

Chain vm-10-vnc (1 references)​

target prot opt source destination ​

ACCEPT all -- 0.0.0.0/0 172.16.10.0/24 ​

REJECT all -- 0.0.0.0/0 !172.16.10.0/24 reject-with icmp-host-prohibited​

Chain vm-4-vnc (1 references)​

target prot opt source destination ​

ACCEPT all -- 0.0.0.0/0 172.16.10.0/24 ​

REJECT all -- 0.0.0.0/0 !172.16.10.0/24 reject-with icmp-host-prohibited​

Chain vnic4.0-in (1 references)​

target prot opt source destination ​

DROP all -- 0.0.0.0/0 0.0.0.0/0 ​

iptables -A vnic4.0-in -j DROP ​

Chain vnic4.0-out (1 references)​

target prot opt source destination ​

DROP all -- 172.16.10.0/24 172.16.10.0/24 ​

RETURN all -- 0.0.0.0/0 0.0.0.0/0 ​

iptables -A vnic4.0-out -s 172.16.10.0/24 -d 172.16.10.0/24 -j DROP​

iptables -A vnic4.0-out -j RETURN​

536 2020-11-27 23:16:50 iptables -X vnic4.0-in​

537 2020-11-27 23:17:04 iptables -X vnic4.0-out​

Chain FORWARD (policy ACCEPT)​

target prot opt source destination ​

sg-default all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged​

Chain OUTPUT (policy ACCEPT)​

target prot opt source destination ​

Chain sg-default (1 references)​

target prot opt source destination ​

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED​

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:68 dpt:67​

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp spt:67 dpt:68​

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged udp dpt:53​

vnic4.0-in all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vnic4.0 --physdev-is-bridged​

vnic4.0-out all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnic4.0 --physdev-is-bridged​

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ​

Chain vm-10-vnc (1 references)​

target prot opt source destination ​

ACCEPT all -- 0.0.0.0/0 172.16.10.0/24 ​

REJECT all -- 0.0.0.0/0 !172.16.10.0/24 reject-with icmp-host-prohibited​

Chain vm-4-vnc (1 references)​

target prot opt source destination ​

ACCEPT all -- 0.0.0.0/0 172.16.10.0/24 ​

REJECT all -- 0.0.0.0/0 !172.16.10.0/24 reject-with icmp-host-prohibited​

Chain vnic4.0-in (1 references)​

target prot opt source destination ​

DROP all -- 0.0.0.0/0 0.0.0.0/0 ​

Chain vnic4.0-out (1 references)​

target prot opt source destination ​

DROP all -- 172.16.10.0/24 172.16.10.0/24 ​

RETURN all -- 0.0.0.0/0 0.0.0.0/0 ​