KVM虚拟机网络连接问题

2025-12-05 22:15:00
丁国栋
原创 6
摘要:本文记录一次物理服务器重启后,虚拟机正常启动且获取到IP地址后依然无法访问主机所在局域网的问题。

物理服务器重启后,运行在这台物理机上的虚拟机正常启动后,正确地获取到IP地址,但无法访问主机所在局域网。

虚拟机是使用kvm技术,主机运行了libvirtd服务,通过virsh检查虚拟机的网络、网桥等信息都没有发现异常,包括虚拟机的MAC地址也没有发生改变。

检查了主机的内核参数,已经正确开启了ip_forward参数。

后来排查到原来还是是防火墙拦截了。

其结果是这样的:


z@s750:~$ sudo iptables -L FORWARD --line-numbers
Chain FORWARD (policy DROP)
num  target     prot opt source               destination         
1    LIBVIRT_FWX  all  --  anywhere             anywhere            
2    LIBVIRT_FWI  all  --  anywhere             anywhere            
3    LIBVIRT_FWO  all  --  anywhere             anywhere            
4    DOCKER-USER  all  --  anywhere             anywhere            
5    DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
6    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
7    DOCKER     all  --  anywhere             anywhere            
8    ACCEPT     all  --  anywhere             anywhere            
9    ACCEPT     all  --  anywhere             anywhere            
10   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
11   DOCKER     all  --  anywhere             anywhere            
12   ACCEPT     all  --  anywhere             anywhere            
13   ACCEPT     all  --  anywhere             anywhere            
14   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
15   DOCKER     all  --  anywhere             anywhere            
16   ACCEPT     all  --  anywhere             anywhere            
17   ACCEPT     all  --  anywhere             anywhere            
z@s750:~$ sudo iptables -I FORWARD 1 -j ACCEPT
z@s750:~$ sudo iptables -L FORWARD --line-numbers
Chain FORWARD (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            
2    LIBVIRT_FWX  all  --  anywhere             anywhere            
3    LIBVIRT_FWI  all  --  anywhere             anywhere            
4    LIBVIRT_FWO  all  --  anywhere             anywhere            
5    DOCKER-USER  all  --  anywhere             anywhere            
6    DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
7    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
8    DOCKER     all  --  anywhere             anywhere            
9    ACCEPT     all  --  anywhere             anywhere            
10   ACCEPT     all  --  anywhere             anywhere            
11   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
12   DOCKER     all  --  anywhere             anywhere            
13   ACCEPT     all  --  anywhere             anywhere            
14   ACCEPT     all  --  anywhere             anywhere            
15   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
16   DOCKER     all  --  anywhere             anywhere            
17   ACCEPT     all  --  anywhere             anywhere            
18   ACCEPT     all  --  anywhere             anywhere            
z@s750:~$


这个结果其实还是挺让人费解的,为什么都是从任何端口到任何端口都有接受的规则,又为什么必须加到第一个才行呢?因为FORWARD链的默认策略是DROP,而规则匹配是有顺序的才导致规则不生效。虽然有很多ACCEPT all -- anywhere anywhere规则,但它们都被放置在一些特定链(如LIBVIRT_FWX、LIBVIRT_FWI、DOCKER等)之后。当数据包进入FORWARD链时,规则按顺序匹配:从第1条开始依次检查,第一个匹配的规则生效;一旦匹配就执行对应动作,不再继续检查后续规则默认策略是最后手段:如果所有规则都不匹配,才执行默认的DROP策略。

--

发表评论
博客分类