debian iptab
总结一下我开只允许用来登
2010/01/19 18:54 | by
Default Configuration (bridged)
The installation program creates a single bridge (vmbr0), which is connected to the first ethernet card (eth0).
auto lo
iface lo inet loopback
auto vmbr0
iface vmbr0 inet static
address 192.168.10.2
netmask 255.255.255.0
gateway 192.168.10.1
bridge_ports eth0
bridge_stp off
bridge_fd 0
Virtual machine behaves like directly connected to the physical network.
Routed Configuration
Most hosting providers does not support above setup. For security reason they stop networking as soon as they detect multiple MAC addresses.
A common setup is that you get a public IP (assume 192.168.10.2 for this example), and additional IP blocks for your VMs (10.10.10.1/255.255.255.0). For such situation we recommend the following setup.
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.10.2
netmask 255.255.255.0
gateway 192.168.10.1
post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
auto vmbr0
iface vmbr0 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
Masquerading
Sometimes you want to use private IPs and masquerade the traffic:
auto vmbr1
iface vmbr1 inet static
address 10.10.11.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.11.0/24' -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.11.0/24' -o eth0 -j MASQUERADE
Unsupported Routing
Physical NIC (eg., eth1) cannot currently be made available exclusively for a particular KVM / Container , ie., without bridge and/or bond.
Naming Conventions
* Ethernet devices: eth0 - eth99
* Bridge names: vmbr0 - vmbr9
* Bonds: bond0 - bond9
* VLANs: Simply add the VLAN number to the ethernet device name, seperated by a period. For example "eth0.50"
以上是官方网站的配置,下面是自己的配置。
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.2.202
netmask 255.255.255.0
gateway 192.168.2.1
post-up iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -p tcp -d 192.168.2.202 --dport 4321 -i eth0 -j DNAT --to-destination 10.0.1.2:3389
post-down iptables -t nat -D POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
auto vmbr0
iface vmbr0 inet static
address 10.0.1.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
去除post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp的原因是proxy_arp会导致一些网络问题,还是iptables好用。
The installation program creates a single bridge (vmbr0), which is connected to the first ethernet card (eth0).
auto lo
iface lo inet loopback
auto vmbr0
iface vmbr0 inet static
address 192.168.10.2
netmask 255.255.255.0
gateway 192.168.10.1
bridge_ports eth0
bridge_stp off
bridge_fd 0
Virtual machine behaves like directly connected to the physical network.
Routed Configuration
Most hosting providers does not support above setup. For security reason they stop networking as soon as they detect multiple MAC addresses.
A common setup is that you get a public IP (assume 192.168.10.2 for this example), and additional IP blocks for your VMs (10.10.10.1/255.255.255.0). For such situation we recommend the following setup.
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.10.2
netmask 255.255.255.0
gateway 192.168.10.1
post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
auto vmbr0
iface vmbr0 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
Masquerading
Sometimes you want to use private IPs and masquerade the traffic:
auto vmbr1
iface vmbr1 inet static
address 10.10.11.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.11.0/24' -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.11.0/24' -o eth0 -j MASQUERADE
Unsupported Routing
Physical NIC (eg., eth1) cannot currently be made available exclusively for a particular KVM / Container , ie., without bridge and/or bond.
Naming Conventions
* Ethernet devices: eth0 - eth99
* Bridge names: vmbr0 - vmbr9
* Bonds: bond0 - bond9
* VLANs: Simply add the VLAN number to the ethernet device name, seperated by a period. For example "eth0.50"
以上是官方网站的配置,下面是自己的配置。
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.2.202
netmask 255.255.255.0
gateway 192.168.2.1
post-up iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -p tcp -d 192.168.2.202 --dport 4321 -i eth0 -j DNAT --to-destination 10.0.1.2:3389
post-down iptables -t nat -D POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
auto vmbr0
iface vmbr0 inet static
address 10.0.1.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
去除post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp的原因是proxy_arp会导致一些网络问题,还是iptables好用。
