cloudstack-users-cn mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "linuxbqj@gmail.com" <linux...@gmail.com>
Subject Re: 主机防火墙导致虚拟机不通
Date Thu, 15 May 2014 10:35:54 GMT
你用的基本网络模式还是高级网络模式
几台设备,

2014-05-15 9:42 GMT+08:00 谢福平 <754282701@qq.com>:
> 操作步骤
>  1.虚拟机正常,能ping通
>  2.新建虚拟机,如果虚拟机的宿主机为A
>  3.主机A上的原有虚拟机ping不通,新建的虚拟机正常
>  4.关闭主机防火墙,A上所有虚拟机都能ping通
>  5.过一段时间,A上防火墙自动起来,所有虚拟机也能正常ping通
>
>  总结就是,只有新建虚拟机时,新虚拟机所在主机上的原虚拟机会ping不通,新建的虚拟机正常。
>  查看主机上的防火墙状态如下:
>  [root@iad-kvm-1 ~]# service iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
>  Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination
> 1    BF-br-guest  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-is-bridged
> 2    BF-br-guest  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-is-bridged
> 3    DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 4    DROP       all  --  0.0.0.0/0            0.0.0.0/0
>  Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
>  Chain BF-br-guest (2 references)
> num  target     prot opt source               destination
> 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
> 2    BF-br-guest-IN  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-is-in --physdev-is-bridged
> 3    BF-br-guest-OUT  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match
--physdev-is-out --physdev-is-bridged
> 4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
eth1 --physdev-is-bridged
>  Chain BF-br-guest-IN (1 references)
> num  target     prot opt source               destination
> 1    i-2-505-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vnet6 --physdev-is-bridged
>  Chain BF-br-guest-OUT (1 references)
> num  target     prot opt source               destination
> 1    i-2-505-def  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vnet6 --physdev-is-bridged
>  Chain i-2-505-VM (1 references)
> num  target     prot opt source               destination
> 1    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:1:65535 state
NEW
> 2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:1:65535 state
NEW
> 3    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
> 4    DROP       all  --  0.0.0.0/0            0.0.0.0/0
>  Chain i-2-505-VM-eg (1 references)
> num  target     prot opt source               destination
> 1    RETURN     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:1:65535 state
NEW
> 2    RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:1:65535 state
NEW
> 3    RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
> 4    DROP       all  --  0.0.0.0/0            0.0.0.0/0
>  Chain i-2-505-def (2 references)
> num  target     prot opt source               destination
> 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
> 2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vnet6 --physdev-is-bridged udp spt:68 dpt:67
> 3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vnet6 --physdev-is-bridged udp spt:67 dpt:68
> 4    RETURN     udp  --  10.5.26.96           0.0.0.0/0           PHYSDEV match --physdev-in
vnet6 --physdev-is-bridged udp dpt:53
> 5    i-2-505-VM-eg  all  --  10.5.26.96           0.0.0.0/0           PHYSDEV match --physdev-in
vnet6 --physdev-is-bridged
> 6    i-2-505-VM  all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-out
vnet6 --physdev-is-bridged



-- 
白清杰 (Born Bai)

北京开源愿景信息技术有限公司

Mail: linuxbqj@gmail.com

Mime
View raw message