修改记录:
20071010:发现文档中iptables策略有问题,原先贴出来的策略其实是被修改过的,现在重新贴的是Dom0刚刚启动好以后的iptables策略(FORWARD链默认是DROP的)
-------------------------------------------------------------------------------------------
Xen默认使用bridge
网络环境,只要eth0连接到网络上,并且有dhcp
server,那么
虚拟机就可以拿到ip连到网上,这一点和vmware下的bridge环境是一样的。
问题是我的本本经常使用无线网络(使用Networkmanager),这种情况下虚拟机得不到ip,dom0-N之间就无法连网,很多试验都没法做,所以想把bridge环境改成NAT环境。
1. Dom0里修改/etc/xen/xend-conf.sxp
文件,把原有bridge相关设置注释掉,使用nat设置:
- vi /etc/xen/xend-config.sxp
- (network-script network-nat)
- #(network-script network-bridge)
- #(network-script network-route)
- (vif-script vif-nat)
- #(vif-script vif-bridge)
- #(vif-script vif-route)
2. 虚拟机配置文件/etc/xen/rhel5_1里修改vif一行,指定IP地址,并关闭dhcp:
- vif = [ 'mac=00:16:3e:38:75:47, ip=10.0.0.1' ]
- dhcp="off"
如果希望虚拟机通过dhcp得到ip,那么这个配置文档里写一句“dhcp = "dhcp"”,但是我现在还没有用到dhcp。
同样在虚拟机配置文件/etc/xen/rhel5_2里修改这一行,mac地址也改掉:
- vif = [ 'mac=00:16:3e:38:75:48, ip=10.0.0.2' ]
- dhcp="off"
3. 启动虚拟机rhel5_1和rhel5_2,然后修改各自的配置文件/etc/sysconfig/network-scripts/ifcfg-eth0,设置IP地址,这里写的IP地址和上面虚拟机配置文件里指定的是相同的:
rhel5_1:
- # Xen Virtual Ethernet
- DEVICE=eth0
- HWADDR=00:16:3e:38:75:47
- ONBOOT=yes
- NETMASK=255.255.255.0
- IPADDR=10.0.0.1
- GATEWAY=10.0.0.254
- TYPE=Ethernet
rhel5_2:
- # Xen Virtual Ethernet
- DEVICE=eth0
- HWADDR=00:16:3e:38:75:48
- ONBOOT=yes
- NETMASK=255.255.255.0
- IPADDR=10.0.0.2
- GATEWAY=10.0.0.254
- TYPE=Ethernet
然后在虚拟机里通过/etc/init.d/network restart来重启网络,虚拟机的eth0得到指定的ip。
4. 在Dom0下看ifconfig的结果:
- vif1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
- inet addr:10.0.0.128 Bcast:0.0.0.0 Mask:255.255.255.255
- inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:79 errors:0 dropped:0 overruns:0 frame:0
- TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:32
- RX bytes:7789 (7.6 KiB) TX bytes:5460 (5.3 KiB)
- vif4.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
- inet addr:10.0.0.129 Bcast:0.0.0.0 Mask:255.255.255.255
- inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:74 errors:0 dropped:0 overruns:0 frame:0
- TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:32
- RX bytes:7092 (6.9 KiB) TX bytes:5552 (5.4 KiB)
在两个虚拟机里修改/etc/resolv.conf文件:
在虚拟机里向外ping域名:
- ping [url][/url]
- PING [url][/url] (218.1.64.33) 56(84) bytes of data.
- 64 bytes from 218.1.64.33: icmp_seq=1 ttl=243 time=2.40 ms
- 64 bytes from 218.1.64.33: icmp_seq=2 ttl=243 time=2.51 ms
需要注意的地方:
1. 虚拟机里设置的网关10.0.0.254其实是不存在的,没有任何地方手工设置了这个ip地址,它也ping不通。
2. 以上实验是在我的本本eth0网卡连接网络的情况下做的,为了验证效果,我把网线拨掉,然后启用无线网卡:
- /etc/init.d/network stop
- /etc/init.d/NetworkManager start
- /etc/init.d/NetworkManagerDispatcher start
NetworkManager自动连接到公司的无线网络,我再从虚拟机里ping域名,发现能够ping通,这证明虚拟NAT网络的连通性与具体的网卡无关。
3. 我没有修改Dom0上任何iptables的设置,以下是Dom0刚启动以后的iptables规则列表(没有做过任何iptables的操作):
- # iptables -L
- Chain INPUT (policy ACCEPT)
- target prot opt source destination
- DROP tcp -- anywhere anywhere tcp dpts:0:1023
- DROP udp -- anywhere anywhere udp dpts:0:1023
- DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
- DROP icmp -- anywhere anywhere icmp echo-request
- Chain FORWARD (policy DROP)
- target prot opt source destination
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
- Chain RH-Firewall-1-INPUT (0 references)
- target prot opt source destination
- ACCEPT all -- anywhere anywhere
- ACCEPT icmp -- anywhere anywhere icmp any
- ACCEPT esp -- anywhere anywhere
- ACCEPT ah -- anywhere anywhere
- ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
- ACCEPT udp -- anywhere anywhere udp dpt:ipp
- ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
- ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
- ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
- ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
- ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
- ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn
- ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
- REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
NAT规则:
- # iptables -L -t nat
- Chain PREROUTING (policy ACCEPT)
- target prot opt source destination
- Chain POSTROUTING (policy ACCEPT)
- target prot opt source destination
- MASQUERADE all -- anywhere anywhere
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
由于FORWARD链的默认策略是DROP,造成两个虚拟机之间相互ping不通,我修改了FORWARD链的默认策略,使它接受FORWARD数据包:
- iptables -P FORWARD ACCEPT
再用iptables -L命令看FORWARD链:
- Chain FORWARD (policy ACCEPT)
- target prot opt source destination
或者以追加的形式修改FORWARD链:
- iptables -A FORWARD -j ACCEPT
然后两个虚拟机之间就可以ping通了:
在10.0.0.2上ping 10.0.0.1:
- ping 10.0.0.1
- PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
- 64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=905 ms
- 64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=0.307 ms
10.0.0.1也可以ping通10.0.0.2。
接下来要解决的问题是:
1. 虚拟机通过dhcp动态得到ip,而不是手工设置。
阅读(714) | 评论(0) | 转发(0) |
