一、简单练习环境
在VMware Workstation部署三台Ubuntu22.04虚机,分别为H1、H2、H3,其中H2已安装KVM(可参考Ubuntu22.04 KVM安装笔记)。
本次练习主要查看filter table的FORWARD chain的情况。
在H1发起ping 11.0.20.4,然后观察iptable的规则匹配情况。
网络拓扑图如下:
二、 开启H2的路由转发功能
root@H2:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
root@H2:~#
三、清空iptables
为了观察iptables方便,清空H2 iptables所有的规则、自定义链、计数:
iptables -t filter -F
iptables -t filter -X
iptables -t filter -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
- -F:表示清空(Flush)规则(rule)。
- -X:表示删除用户自定义的链(customer chain)。
- -Z:表示清零(Zero)计数器。
root@H2:~# iptables -t filter -F
root@H2:~# iptables -t filter -X
root@H2:~# iptables -t filter -Z
root@H2:~# iptables -t nat -F
root@H2:~# iptables -t nat -X
root@H2:~# iptables -t nat -Z
root@H2:~# iptables -t mangle -F
root@H2:~# iptables -t mangle -X
root@H2:~# iptables -t mangle -Z查看iptables的信息,主要查看FORWARD链的计数为0:
root@H2:~# iptables -nvL
Chain INPUT (policy ACCEPT 42 packets, 3792 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 28 packets, 4160 bytes)pkts bytes target prot opt in out source destination root@H2:~# iptables-save
# Generated by iptables-save v1.8.7 on Sat Mar 15 02:32:19 2025
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [33:4968]
COMMIT
# Completed on Sat Mar 15 02:32:19 2025
# Generated by iptables-save v1.8.7 on Sat Mar 15 02:32:19 2025
*filter
:INPUT ACCEPT [75:6648]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [46:7056]
COMMIT
# Completed on Sat Mar 15 02:32:19 2025
# Generated by iptables-save v1.8.7 on Sat Mar 15 02:32:19 2025
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Mar 15 02:32:19 2025
root@H2:~# 四、默认规则
1.测试前,将H2的filter table的计数清零:
iptables -t filter -Z
2.从H1 ping 11.0.20.4
ping -c 5 11.0.20.4
3.查看H2的iptables计数情况
iptables -t filter -nvL
iptables-save -t filter
root@H1:~# ping -c 5 11.0.20.4
PING 11.0.20.4 (11.0.20.4) 56(84) bytes of data.
64 bytes from 11.0.20.4: icmp_seq=1 ttl=63 time=0.515 ms
64 bytes from 11.0.20.4: icmp_seq=2 ttl=63 time=0.844 ms
64 bytes from 11.0.20.4: icmp_seq=3 ttl=63 time=1.06 ms
64 bytes from 11.0.20.4: icmp_seq=4 ttl=63 time=0.770 ms
64 bytes from 11.0.20.4: icmp_seq=5 ttl=63 time=0.785 ms--- 11.0.20.4 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4062ms
rtt min/avg/max/mdev = 0.515/0.795/1.064/0.175 ms
root@H1:~# root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 14 packets, 2144 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 10 packets, 840 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 592 bytes)pkts bytes target prot opt in out source destination
root@H2:~# iptables-save -t filter
# Generated by iptables-save v1.8.7 on Sat Mar 15 02:35:07 2025
*filter
:INPUT ACCEPT [25:3064]
:FORWARD ACCEPT [10:840]
:OUTPUT ACCEPT [11:2024]
COMMIT
# Completed on Sat Mar 15 02:35:07 2025
root@H2:~# 4、分析
H1 ping 了5个包(icmp request),返回5个包(icmp reply),共计10个包,由于FORWARD chain没有定义规则,这些包都匹配了默认规则(policy ACCEPT)。
iptables-save *filter的FORWARD chain记录和上面一致。
五、添加规则
1、添加规则
iptables -t filter -A FORWARD -s 10.0.20.4 -d 11.0.20.4 -j ACCEPT
2、 H2 filter table 清零
root@H2:~# iptables -t filter -A FORWARD -s 10.0.20.4 -d 11.0.20.4 -j ACCEPT
root@H2:~# iptables -t filter -Z
root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 48 packets, 4224 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 Chain OUTPUT (policy ACCEPT 25 packets, 3432 bytes)pkts bytes target prot opt in out source destination
root@H2:~# 3、H1发起ping后,查看H2 iptable计数
root@H1:~# ping -c 5 11.0.20.4
PING 11.0.20.4 (11.0.20.4) 56(84) bytes of data.
64 bytes from 11.0.20.4: icmp_seq=1 ttl=63 time=0.870 ms
64 bytes from 11.0.20.4: icmp_seq=2 ttl=63 time=0.805 ms
64 bytes from 11.0.20.4: icmp_seq=3 ttl=63 time=0.588 ms
64 bytes from 11.0.20.4: icmp_seq=4 ttl=63 time=0.824 ms
64 bytes from 11.0.20.4: icmp_seq=5 ttl=63 time=0.846 ms--- 11.0.20.4 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4059ms
rtt min/avg/max/mdev = 0.588/0.786/0.870/0.101 ms
root@H1:~# root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 77 packets, 8078 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 5 packets, 420 bytes)pkts bytes target prot opt in out source destination 5 420 ACCEPT all -- * * 10.0.20.4 11.0.20.4 Chain OUTPUT (policy ACCEPT 39 packets, 6296 bytes)pkts bytes target prot opt in out source destination
root@H2:~# iptables-save -t filter
# Generated by iptables-save v1.8.7 on Sat Mar 15 02:39:34 2025
*filter
:INPUT ACCEPT [125:12302]
:FORWARD ACCEPT [5:420]
:OUTPUT ACCEPT [66:10496]
-A FORWARD -s 10.0.20.4/32 -d 11.0.20.4/32 -j ACCEPT
COMMIT
# Completed on Sat Mar 15 02:39:34 2025
root@H2:~# 4、分析
5个icmp request packets匹配了添加的规则,5个icmp reply packets匹配了默认的规则。
5个icmp reply packets匹配了默认规则,和上面的一致。
六、添加自定义链
1、添加定制链
iptables -N my-forward
2、在指定链中调用自定义链
iptables -t filter -A FORWARD -j my-forward
root@H2:~# iptables -N my-forwardroot@H2:~# iptables -t filter -A FORWARD -j my-forward3、iptables计数清零
root@H2:~# iptables -t filter -Z
root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 37 packets, 3304 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 0 0 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 20 packets, 2784 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination
root@H2:~# iptables-save -t filter
# Generated by iptables-save v1.8.7 on Sat Mar 15 06:14:15 2025
*filter
:INPUT ACCEPT [46:4048]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27:4520]
:my-forward - [0:0]
-A FORWARD -s 10.0.20.4/32 -d 11.0.20.4/32 -j ACCEPT
-A FORWARD -j my-forward
COMMIT
# Completed on Sat Mar 15 06:14:15 2025
root@H2:~# 4、H1发起ping后,查看H2 iptable计数
root@H1:~# ping -c 5 11.0.20.4
PING 11.0.20.4 (11.0.20.4) 56(84) bytes of data.
64 bytes from 11.0.20.4: icmp_seq=1 ttl=63 time=1.13 ms
64 bytes from 11.0.20.4: icmp_seq=2 ttl=63 time=0.726 ms
64 bytes from 11.0.20.4: icmp_seq=3 ttl=63 time=1.49 ms
64 bytes from 11.0.20.4: icmp_seq=4 ttl=63 time=0.877 ms
64 bytes from 11.0.20.4: icmp_seq=5 ttl=63 time=0.809 ms--- 11.0.20.4 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4029ms
rtt min/avg/max/mdev = 0.726/1.006/1.493/0.277 ms
root@H1:~# root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 63 packets, 5400 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 5 packets, 420 bytes)pkts bytes target prot opt in out source destination 5 420 ACCEPT all -- * * 10.0.20.4 11.0.20.4 5 420 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 43 packets, 8152 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination
root@H2:~# iptables-save -t filter
# Generated by iptables-save v1.8.7 on Sat Mar 15 06:15:26 2025
*filter
:INPUT ACCEPT [70:5968]
:FORWARD ACCEPT [5:420]
:OUTPUT ACCEPT [49:9752]
:my-forward - [0:0]
-A FORWARD -s 10.0.20.4/32 -d 11.0.20.4/32 -j ACCEPT
-A FORWARD -j my-forward
COMMIT
# Completed on Sat Mar 15 06:15:26 2025
root@H2:~# 5、分析
自定义链没有缺省规则,如果都不匹配则返回(RETURN)指定链。
H1 ping包中,5个icmp reques匹配了FORWARD第一条规则,5个返回的icmp reply被送到自定义链去继续匹配,由于自定义链没有定义规则,缺省都返回,继续匹配指定链FORWARD的缺省规则。
自定义链没有缺省规则,所以是[0:0]。
七、删除规则
1、确定需要删除的规则的编号
iptables -t filter -nvL --line-number
root@H2:~# iptables -t filter -nvL --line-number
Chain INPUT (policy ACCEPT 461 packets, 39945 bytes)
num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 6 packets, 496 bytes)
num pkts bytes target prot opt in out source destination
1 5 420 ACCEPT all -- * * 10.0.20.4 11.0.20.4
2 6 496 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 239 packets, 37261 bytes)
num pkts bytes target prot opt in out source destination Chain my-forward (1 references)
num pkts bytes target prot opt in out source destination
root@H2:~# 2、这里需要删除filter table的FORWARD chain的第一条
iptables -t filter -D FORWARD 1
root@H2:~# iptables -t filter -D FORWARD 1
root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 593 packets, 51493 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 6 packets, 496 bytes)pkts bytes target prot opt in out source destination 6 496 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 306 packets, 47205 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination
root@H2:~# 八、给自定义链添加规则
1、给自定义链添加规则
iptables -t filter -A my-forward -s 10.0.20.4 -d 11.0.20.4 -j ACCEPT
2、H2 filter table 清零
root@H2:~# iptables -t filter -A my-forward -s 10.0.20.4 -d 11.0.20.4 -j ACCEPT
root@H2:~# iptables -t filter -Z
root@H2:~# iptables -nvL
Chain INPUT (policy ACCEPT 31 packets, 2776 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 17 packets, 2344 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4
root@H2:~# 3、 H1发起ping后,查看H2 iptable计数
root@H1:~# ping -c 5 11.0.20.4
PING 11.0.20.4 (11.0.20.4) 56(84) bytes of data.
64 bytes from 11.0.20.4: icmp_seq=1 ttl=63 time=1.10 ms
64 bytes from 11.0.20.4: icmp_seq=2 ttl=63 time=0.674 ms
64 bytes from 11.0.20.4: icmp_seq=3 ttl=63 time=0.836 ms
64 bytes from 11.0.20.4: icmp_seq=4 ttl=63 time=0.855 ms
64 bytes from 11.0.20.4: icmp_seq=5 ttl=63 time=1.15 ms--- 11.0.20.4 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4072ms
rtt min/avg/max/mdev = 0.674/0.922/1.149/0.176 ms
root@H1:~#root@H2:~# iptables -nvL
Chain INPUT (policy ACCEPT 36 packets, 3168 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 5 packets, 420 bytes)pkts bytes target prot opt in out source destination 10 840 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 22 packets, 3776 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 5 420 ACCEPT all -- * * 10.0.20.4 11.0.20.4
root@H2:~# iptables-save -t filter
# Generated by iptables-save v1.8.7 on Sat Mar 15 06:50:42 2025
*filter
:INPUT ACCEPT [90:7824]
:FORWARD ACCEPT [5:420]
:OUTPUT ACCEPT [53:8712]
:my-forward - [0:0]
-A FORWARD -j my-forward
-A my-forward -s 10.0.20.4/32 -d 11.0.20.4/32 -j ACCEPT
COMMIT
# Completed on Sat Mar 15 06:50:42 2025
root@H2:~# 4、分析
10个icmp包都发到自定义链处理,5个匹配自定义链规则(icmp request),5个不匹配(icmp reply),返回到指定链FORWARD,匹配默认规则。
iptables-save记录5个包(即icmp reply)匹配了FORWARD chain的默认规则,自定义链my-forward没有默认规则,所以计数为0。
九、虚机添加NAT规则
1、建议参考:Ubuntu22.04 KVM安装笔记
2、检查H2的虚机环境
root@H2:~# virsh net-listName State Autostart Persistent
--------------------------------------------default active yes yesroot@H2:~# virsh list --allId Name State
--------------------------- cirros shut off- cirros2 shut off启动虚机:
root@H2:~# virsh start cirros
Domain 'cirros' startedroot@H2:~# virsh start cirros2
Domain 'cirros2' startedroot@H2:~# 新开一个终端,登录虚机cirros:
root@H2:~# virsh console cirros
Connected to domain 'cirros'
Escape character is ^] (Ctrl + ])login as 'cirros' user. default password: 'gocubsgo'. use 'sudo' for root.
cirros login: cirros
Password:
$
$
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000link/ether 52:54:00:ca:11:63 brd ff:ff:ff:ff:ff:ffinet 192.168.122.168/24 brd 192.168.122.255 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::5054:ff:feca:1163/64 scope link valid_lft forever preferred_lft forever
$ ip route
default via 192.168.122.1 dev eth0
192.168.122.0/24 dev eth0 src 192.168.122.168 新开另一个终端,登录虚机cirros2:
root@H2:~# virsh console cirros2
Connected to domain 'cirros2'
Escape character is ^] (Ctrl + ])login as 'cirros' user. default password: 'gocubsgo'. use 'sudo' for root.
cirros login: cirros
Password:
Login incorrect
cirros login: cirros
Password:
$
$
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000link/ether 52:54:00:86:97:5c brd ff:ff:ff:ff:ff:ffinet 192.168.122.54/24 brd 192.168.122.255 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::5054:ff:fe86:975c/64 scope link valid_lft forever preferred_lft forever
$ ip route
default via 192.168.122.1 dev eth0
192.168.122.0/24 dev eth0 src 192.168.122.54
$ 3、虚机的网络拓扑可以理解为下图所示:
4、添加NAT规则
iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -d 8.8.8.8 -j MASQUERADE
这条命令的作用是:
对从
192.168.122.0/24子网发出的、目标地址为8.8.8.8的数据包,在经过本机的POSTROUTING链时,将数据包的 源地址伪装为本机的外网接口地址。
添加后,虚机可以ping通8.8.8.8地址。
root@H2:~# iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -d 8.8.8.8 -j MASQUERADE
root@H2:~# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1 packets, 168 bytes)pkts bytes target prot opt in out source destination 2 168 MASQUERADE all -- * * 192.168.122.0/24 8.8.8.8
root@H2:~# iptables-save -t nat
# Generated by iptables-save v1.8.7 on Sat Mar 15 07:48:57 2025
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [1:168]
-A POSTROUTING -s 192.168.122.0/24 -d 8.8.8.8/32 -j MASQUERADE
COMMIT
# Completed on Sat Mar 15 07:48:57 2025虚机cirros/cirros2上执行Ping操作:
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=127 time=30.614 ms
64 bytes from 8.8.8.8: seq=1 ttl=127 time=31.016 ms
64 bytes from 8.8.8.8: seq=2 ttl=127 time=29.203 ms十、虚机发往外部的流量过滤
1、添加过滤规则,iptables清零
iptables -t filter -A my-forward -s 192.168.122.0/24 -i virbr0 -j ACCEPT
- 虚机流量需要经过FORWARD链,之前FORWARD链已经配置为调用my-forward。
- 虚机去往外部的流量,方向是“进入”virbr0!!!
root@H2:~# iptables -t filter -A my-forward -s 192.168.122.0/24 -i virbr0 -j ACCEPT
root@H2:~# iptables -t filter -Z
root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 52 packets, 4576 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 27 packets, 3704 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
root@H2:~# 2、虚机进行ping操作,查看H2 iptable计数
cirros vm:
$ ping -c 5 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=127 time=33.934 ms
64 bytes from 8.8.8.8: seq=1 ttl=127 time=34.741 ms
64 bytes from 8.8.8.8: seq=2 ttl=127 time=33.941 ms
64 bytes from 8.8.8.8: seq=3 ttl=127 time=32.999 ms
64 bytes from 8.8.8.8: seq=4 ttl=127 time=33.051 ms--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 32.999/33.733/34.741 ms
$ root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 175 packets, 11540 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 5 packets, 420 bytes)pkts bytes target prot opt in out source destination 10 840 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 206 packets, 29680 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 5 420 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
root@H2:~#
root@H2:~# iptables-save -t filter
# Generated by iptables-save v1.8.7 on Sat Mar 15 08:06:08 2025
*filter
:INPUT ACCEPT [233:16548]
:FORWARD ACCEPT [5:420]
:OUTPUT ACCEPT [238:34880]
:my-forward - [0:0]
-A FORWARD -j my-forward
-A my-forward -s 10.0.20.4/32 -d 11.0.20.4/32 -j ACCEPT
-A my-forward -s 192.168.122.0/24 -i virbr0 -j ACCEPT
COMMIT
# Completed on Sat Mar 15 08:06:08 2025
root@H2:~# 分析:可以看出,虚机发出的5个icmp request,匹配my-forward链的第二条规则,5个返回的icmp reply匹配了FORWARD链的默认规则。
十一、问题1:同主机、同网段虚机之间的流量iptables无法过滤?
前面画的虚机网络拓扑图在,vm1和vm2处于相同主机(H2)),相同网络(KVM net: default),相同网段(192.168.122.0/24)。
1、对iptables清零:
root@H2:~# iptables -t filter -Z
root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 50 packets, 4366 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 25 packets, 3432 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
root@H2:~# 2、从vm1(192.168.122.168)ping vm2(192.168.122.54),然后观察iptables的计数。
$ ping -c 5 192.168.122.54
PING 192.168.122.54 (192.168.122.54): 56 data bytes
64 bytes from 192.168.122.54: seq=0 ttl=64 time=0.796 ms
64 bytes from 192.168.122.54: seq=1 ttl=64 time=1.095 ms
64 bytes from 192.168.122.54: seq=2 ttl=64 time=0.925 ms
64 bytes from 192.168.122.54: seq=3 ttl=64 time=0.618 ms
64 bytes from 192.168.122.54: seq=4 ttl=64 time=0.617 ms--- 192.168.122.54 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.617/0.810/1.095 ms
$ root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 198 packets, 13392 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 224 packets, 31616 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
root@H2:~# iptables-save -t filter
# Generated by iptables-save v1.8.7 on Sat Mar 15 09:31:25 2025
*filter
:INPUT ACCEPT [298:21808]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [296:42176]
:my-forward - [0:0]
-A FORWARD -j my-forward
-A my-forward -s 10.0.20.4/32 -d 11.0.20.4/32 -j ACCEPT
-A my-forward -s 192.168.122.0/24 -i virbr0 -j ACCEPT
COMMIT
# Completed on Sat Mar 15 09:31:25 2025
root@H2:~#
可以看出,相同主机、相同网络、相同网段的虚机之间ping,没有进出virbr0,所以没有流量经过FORWARD链,包括调用的自定义链,所以观察的相关计数为0。
十二、问题1解决方法:加载 br_netfilter 内核模块
1、虚机网络拓扑如下图所示:
2、桥接网络中的流量处理
在桥接网络中,虚拟机的虚拟网卡通过桥接接口连接到宿主机的物理网卡或虚拟网桥。虚拟机之间的流量会经过桥接接口,而不会直接经过宿主机的网络栈。因此,iptables 默认情况下不会处理桥接网络中的虚拟机流量。
如果需要让 iptables 处理桥接网络中的流量,需要启用桥接网络的 iptables 包过滤功能。此时需要加载 br_netfilter 内核模块。
为什么需要
br_netfilter模块?在 Linux 系统中,桥接网络(如虚拟机或容器网络)默认工作在二层(数据链路层),而
iptables是基于三层(网络层)的工具。如果没有加载br_netfilter模块,iptables将无法处理桥接网络中的流量。加载
br_netfilter模块后,还需要启用内核参数net.bridge.bridge-nf-call-iptables,以确保桥接流量能够被iptables处理。
执行以下命令加载和启用br_netfilter:
root@H2:~# modprobe br_netfilter
root@H2:~# lsmod | grep br_netfilter
br_netfilter 32768 0
bridge 311296 1 br_netfilter
root@H2:~#
root@H2:~# sysctl net.bridge.bridge-nf-call-iptables
net.bridge.bridge-nf-call-iptables = 1
root@H2:~# 十三、问题1解决方法示例
1、根据十二章节,加载和启用net_filter模块。
2、iptables清零
root@H2:~# iptables -t filter -Z
root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 48 packets, 4224 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 25 packets, 3432 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 ACCEPT all -- vnet0 * 192.168.122.0/24 0.0.0.0/0 3、虚机进行ping操作,查看H2 iptable计数
$ ping -c 5 192.168.122.54
PING 192.168.122.54 (192.168.122.54): 56 data bytes
64 bytes from 192.168.122.54: seq=0 ttl=64 time=0.877 ms
64 bytes from 192.168.122.54: seq=1 ttl=64 time=0.737 ms
64 bytes from 192.168.122.54: seq=2 ttl=64 time=0.703 ms
64 bytes from 192.168.122.54: seq=3 ttl=64 time=0.661 ms
64 bytes from 192.168.122.54: seq=4 ttl=64 time=0.721 ms--- 192.168.122.54 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.661/0.739/0.877 ms
$ root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 163 packets, 10404 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 10 840 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 209 packets, 31464 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 10 840 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 ACCEPT all -- vnet0 * 192.168.122.0/24 0.0.0.0/0
root@H2:~# iptables-save -t filter
# Generated by iptables-save v1.8.7 on Sat Mar 15 10:25:35 2025
*filter
:INPUT ACCEPT [216:15020]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [237:36216]
:my-forward - [0:0]
-A FORWARD -j my-forward
-A my-forward -s 10.0.20.4/32 -d 11.0.20.4/32 -j ACCEPT
-A my-forward -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A my-forward -s 192.168.122.0/24 -i vnet0 -j ACCEPT
COMMIT
# Completed on Sat Mar 15 10:25:35 2025
root@H2:~# 4、分析
可以看出,10个包(5个icmp request,5个icmp reply),都进入virbr0,经过iptables处理,再到达目的虚机。
十四、问题2:vnet0无法过滤虚机流量?
1、在自定义链中添加根据vnet0端口过滤流量的规则:
iptables -t filter -A my-forward -s 192.168.122.0/24 -i vnet0 -j ACCEPT
在自定义链删除virbr0规则,只保留这条根据vnet0过滤流量的规则。
2、iptables清零
root@H2:~# iptables -t filter -A my-forward -s 192.168.122.0/24 -i vnet0 -j ACCEPT
root@H2:~# iptables -t filter -Z
root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 48 packets, 4224 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 25 packets, 3432 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 0 0 ACCEPT all -- vnet0 * 192.168.122.0/24 0.0.0.0/0
root@H2:~# 3、虚机进行ping操作,查看H2 iptable计数
vm1:
$ ping -c 5 192.168.122.54
PING 192.168.122.54 (192.168.122.54): 56 data bytes
64 bytes from 192.168.122.54: seq=0 ttl=64 time=0.759 ms
64 bytes from 192.168.122.54: seq=1 ttl=64 time=1.139 ms
64 bytes from 192.168.122.54: seq=2 ttl=64 time=0.794 ms
64 bytes from 192.168.122.54: seq=3 ttl=64 time=0.826 ms
64 bytes from 192.168.122.54: seq=4 ttl=64 time=0.958 ms--- 192.168.122.54 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.759/0.895/1.139 ms
$ root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 95 packets, 6680 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 10 packets, 840 bytes)pkts bytes target prot opt in out source destination 10 840 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 101 packets, 14776 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 0 0 ACCEPT all -- vnet0 * 192.168.122.0/24 0.0.0.0/0
root@H2:~#
root@H2:~# iptables-save -t filter
# Generated by iptables-save v1.8.7 on Sat Mar 15 11:12:55 2025
*filter
:INPUT ACCEPT [161:12392]
:FORWARD ACCEPT [10:840]
:OUTPUT ACCEPT [139:21656]
:my-forward - [0:0]
-A FORWARD -j my-forward
-A my-forward -s 10.0.20.4/32 -d 11.0.20.4/32 -j ACCEPT
-A my-forward -s 192.168.122.0/24 -i vnet0 -j ACCEPT
COMMIT
# Completed on Sat Mar 15 11:12:55 2025
root@H2:~#
4、分析
vm1网卡连接到vnet0,但没有匹配相应的规则。
十五、问题2解决方法:使用 physdev 模块
1、添加日志规则说明问题
可以在自定义链中增加一条日志规则来说明这一点:
iptables -t filter -A my-forward -p icmp -j LOG --log-prefix 'FORWARD_ICMP'
- dmesg | grep FORWARD_ICMP参考相关日志
- 参考:networking - Filter packets with iptables on a tap interface - Server Fault
1、添加日志规则
root@H2:~# iptables -t filter -A my-forward -p icmp -j LOG --log-prefix 'FORWARD_ICMP'2、iptables计数清零
root@H2:~# iptables -t filter -Z
root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 48 packets, 4224 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 25 packets, 3432 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 0 0 ACCEPT all -- vnet0 * 192.168.122.0/24 0.0.0.0/0 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FORWARD_ICMP"3、虚机1发起ping操作——vm1 ping vm2(192.168.122.54):$ ping -c 5 192.168.122.54
PING 192.168.122.54 (192.168.122.54): 56 data bytes
64 bytes from 192.168.122.54: seq=0 ttl=64 time=2.406 ms
64 bytes from 192.168.122.54: seq=1 ttl=64 time=0.862 ms
64 bytes from 192.168.122.54: seq=2 ttl=64 time=0.938 ms
64 bytes from 192.168.122.54: seq=3 ttl=64 time=0.776 ms
64 bytes from 192.168.122.54: seq=4 ttl=64 time=0.784 ms--- 192.168.122.54 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.776/1.153/2.406 ms
$ 4、查看H2 iptables计数:root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 237 packets, 12201 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 10 packets, 840 bytes)pkts bytes target prot opt in out source destination 10 840 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 391 packets, 57161 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 0 0 ACCEPT all -- vnet0 * 192.168.122.0/24 0.0.0.0/0 10 840 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FORWARD_ICMP"5、查看日志记录:
root@H2:~# dmesg | grep FORWARD_ICMP
[22928.705709] FORWARD_ICMPIN=virbr0 OUT=virbr0 PHYSIN=vnet0 PHYSOUT=vnet1 MAC=52:54:00:86:97:5c:52:54:00:ca:11:63:08:00 SRC=192.168.122.168 DST=192.168.122.54 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=35075 DF PROTO=ICMP TYPE=8 CODE=0 ID=25601 SEQ=0
[22928.706979] FORWARD_ICMPIN=virbr0 OUT=virbr0 PHYSIN=vnet1 PHYSOUT=vnet0 MAC=52:54:00:ca:11:63:52:54:00:86:97:5c:08:00 SRC=192.168.122.54 DST=192.168.122.168 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=36885 PROTO=ICMP TYPE=0 CODE=0 ID=25601 SEQ=0
[22929.706672] FORWARD_ICMPIN=virbr0 OUT=virbr0 PHYSIN=vnet0 PHYSOUT=vnet1 MAC=52:54:00:86:97:5c:52:54:00:ca:11:63:08:00 SRC=192.168.122.168 DST=192.168.122.54 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=35288 DF PROTO=ICMP TYPE=8 CODE=0 ID=25601 SEQ=1
[22929.707035] FORWARD_ICMPIN=virbr0 OUT=virbr0 PHYSIN=vnet1 PHYSOUT=vnet0 MAC=52:54:00:ca:11:63:52:54:00:86:97:5c:08:00 SRC=192.168.122.54 DST=192.168.122.168 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=37100 PROTO=ICMP TYPE=0 CODE=0 ID=25601 SEQ=1
[22930.708174] FORWARD_ICMPIN=virbr0 OUT=virbr0 PHYSIN=vnet0 PHYSOUT=vnet1 MAC=52:54:00:86:97:5c:52:54:00:ca:11:63:08:00 SRC=192.168.122.168 DST=192.168.122.54 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=35291 DF PROTO=ICMP TYPE=8 CODE=0 ID=25601 SEQ=2
[22930.708434] FORWARD_ICMPIN=virbr0 OUT=virbr0 PHYSIN=vnet1 PHYSOUT=vnet0 MAC=52:54:00:ca:11:63:52:54:00:86:97:5c:08:00 SRC=192.168.122.54 DST=192.168.122.168 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=37333 PROTO=ICMP TYPE=0 CODE=0 ID=25601 SEQ=2
[22931.710258] FORWARD_ICMPIN=virbr0 OUT=virbr0 PHYSIN=vnet0 PHYSOUT=vnet1 MAC=52:54:00:86:97:5c:52:54:00:ca:11:63:08:00 SRC=192.168.122.168 DST=192.168.122.54 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=35453 DF PROTO=ICMP TYPE=8 CODE=0 ID=25601 SEQ=3
[22931.710516] FORWARD_ICMPIN=virbr0 OUT=virbr0 PHYSIN=vnet1 PHYSOUT=vnet0 MAC=52:54:00:ca:11:63:52:54:00:86:97:5c:08:00 SRC=192.168.122.54 DST=192.168.122.168 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=37485 PROTO=ICMP TYPE=0 CODE=0 ID=25601 SEQ=3
[22932.711610] FORWARD_ICMPIN=virbr0 OUT=virbr0 PHYSIN=vnet0 PHYSOUT=vnet1 MAC=52:54:00:86:97:5c:52:54:00:ca:11:63:08:00 SRC=192.168.122.168 DST=192.168.122.54 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=35483 DF PROTO=ICMP TYPE=8 CODE=0 ID=25601 SEQ=4
[22932.711905] FORWARD_ICMPIN=virbr0 OUT=virbr0 PHYSIN=vnet1 PHYSOUT=vnet0 MAC=52:54:00:ca:11:63:52:54:00:86:97:5c:08:00 SRC=192.168.122.54 DST=192.168.122.168 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=37694 PROTO=ICMP TYPE=0 CODE=0 ID=25601 SEQ=4
root@H2:~# 
从日志可以看出,桥接网络环境中,iptables 的 -i(输入接口)和 -o(输出接口)选项可能无法直接匹配虚拟设备(如 vnet0),因为这些设备的流量在桥接时会被视为桥接接口(如 virbr0)的一部分。
2、解决方法:使用 physdev 模块
iptables 提供了一个 physdev 模块,专门用于匹配桥接网络中的虚拟设备(如 TAP 设备)。通过 physdev 模块,你可以指定物理设备(PHYSIN 和 PHYSOUT)来匹配流量,而不是依赖于桥接接口。
十六、问题2解决办法示例
1、添加匹配vnet0进入方向的规则
iptables -t filter -A my-forward -s 192.168.122.168/32 -m physdev --physdev-in vnet0 -j ACCEPT
2、iptables清零
root@H2:~# iptables -t filter -A my-forward -s 192.168.122.168/32 -m physdev --physdev-in vnet0 -j ACCEPT
root@H2:~# iptables -t filter -Z
root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 10 packets, 880 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 6 packets, 1056 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 0 0 ACCEPT all -- * * 192.168.122.168 0.0.0.0/0 PHYSDEV match --physdev-in vnet0
root@H2:~# 3、虚机进行ping操作,查看H2 iptable计数
1、虚机发起ping操作
(vm1(192.168.122.168) ping 192.168.122.54)$ ping -c 5 192.168.122.54
PING 192.168.122.54 (192.168.122.54): 56 data bytes
64 bytes from 192.168.122.54: seq=0 ttl=64 time=2.865 ms
64 bytes from 192.168.122.54: seq=1 ttl=64 time=0.986 ms
64 bytes from 192.168.122.54: seq=2 ttl=64 time=1.035 ms
64 bytes from 192.168.122.54: seq=3 ttl=64 time=0.793 ms
64 bytes from 192.168.122.54: seq=4 ttl=64 time=1.054 ms--- 192.168.122.54 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.793/1.346/2.865 ms
$ 2、查看iptables计数信息
root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 103 packets, 5816 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 5 packets, 420 bytes)pkts bytes target prot opt in out source destination 10 840 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 167 packets, 23304 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 5 420 ACCEPT all -- * * 192.168.122.168 0.0.0.0/0 PHYSDEV match --physdev-in vnet0
root@H2:~# iptables-save -t filter
# Generated by iptables-save v1.8.7 on Sat Mar 15 14:06:14 2025
*filter
:INPUT ACCEPT [164:10560]
:FORWARD ACCEPT [5:420]
:OUTPUT ACCEPT [217:30904]
:my-forward - [0:0]
-A FORWARD -j my-forward
-A my-forward -s 10.0.20.4/32 -d 11.0.20.4/32 -j ACCEPT
-A my-forward -s 192.168.122.168/32 -m physdev --physdev-in vnet0 -j ACCEPT
COMMIT
# Completed on Sat Mar 15 14:06:14 2025
root@H2:~# 可以看出虚机1发出的5个icmp request,匹配了vnet0规则。需要注意的是,vnet0的in的方向,是连接到vnet0的虚机发出流量的方向。
十七、只过滤同一网桥虚机之前的流量
1、添加匹配virbr0规则
从十五章节的日志分析可以看出,相同网桥的虚机之间的流量,进出的端口都使用virbr0。
所以可以添加in/out都是virbr0的规则来过滤同网桥虚机之间的流量:
iptables -t filter -A my-forward -i virbr0 -o virbr0 -j ACCEPT
2、iptables清零
root@H2:~# iptables -t filter -A my-forward -i virbr0 -o virbr0 -j ACCEPT
root@H2:~# iptables -t filter -Z
root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 48 packets, 4224 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 25 packets, 3432 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
root@H2:~# 3、虚机进行ping操作,查看H2 iptable计数
1、虚机之间ping,vm1 ping vm2:
$ ping -c 5 192.168.122.54
PING 192.168.122.54 (192.168.122.54): 56 data bytes
64 bytes from 192.168.122.54: seq=0 ttl=64 time=0.842 ms
64 bytes from 192.168.122.54: seq=1 ttl=64 time=0.905 ms
64 bytes from 192.168.122.54: seq=2 ttl=64 time=0.842 ms
64 bytes from 192.168.122.54: seq=3 ttl=64 time=0.768 ms
64 bytes from 192.168.122.54: seq=4 ttl=64 time=0.706 ms--- 192.168.122.54 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.706/0.812/0.905 ms
$ 2、可以看出都匹配了virbr0规则:
root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 92 packets, 5024 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 10 840 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 147 packets, 20968 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 10 840 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
root@H2:~#iptables不清零,继续以下操作:3、虚机1发起ping 8.8.8.8
$ ping -c 5 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=127 time=32.545 ms
64 bytes from 8.8.8.8: seq=1 ttl=127 time=32.628 ms
64 bytes from 8.8.8.8: seq=2 ttl=127 time=32.410 ms
64 bytes from 8.8.8.8: seq=3 ttl=127 time=29.664 ms
64 bytes from 8.8.8.8: seq=4 ttl=127 time=32.760 ms--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 29.664/32.001/32.760 ms
$ 4、可以发现往返的10个icmp包均未匹配virbr0规则,匹配了缺省规则:
root@H2:~# iptables -t filter -nvL
Chain INPUT (policy ACCEPT 388 packets, 19684 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 10 packets, 840 bytes)pkts bytes target prot opt in out source destination 20 1680 my-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 646 packets, 91248 bytes)pkts bytes target prot opt in out source destination Chain my-forward (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.20.4 11.0.20.4 10 840 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
root@H2:~# 
