问题是我的本本经常使用无线网络(使用Networkmanager),这种情况下虚拟机得不到ip,dom0-N之间就无法连网,很多试验都没法做,所以想把bridge环境改成NAT环境。
1. Dom0里修改/etc/xen/xend-conf.sxp文件,把原有bridge相关设置注释掉,使用nat设置:
vi /etc/xen/xend-config.sxp
(network-script network-nat)
#(network-script network-bridge)
#(network-script network-route)
(vif-script vif-nat)
#(vif-script vif-bridge)
#(vif-script vif-route)
(network-script network-nat)
#(network-script network-bridge)
#(network-script network-route)
(vif-script vif-nat)
#(vif-script vif-bridge)
#(vif-script vif-route)
2. 虚拟机配置文件/etc/xen/rhel5_1里修改vif一行,指定IP地址,并关闭dhcp:
vif = [ ‘mac=00:16:3e:38:75:47, ip=10.0.0.1‘ ]
dhcp="off"
dhcp="off"
如果希望虚拟机通过dhcp得到ip,那么这个配置文档里写一句“dhcp = "dhcp"”,但是我现在还没有用到dhcp。
同样在虚拟机配置文件/etc/xen/rhel5_2里修改这一行,mac地址也改掉:
vif = [ ‘mac=00:16:3e:38:75:48, ip=10.0.0.2‘ ]
dhcp="off"
dhcp="off"
3. 启动虚拟机rhel5_1和rhel5_2,然后修改各自的配置文件/etc/sysconfig/network-scripts/ifcfg-eth0,设置IP地址,这里写的IP地址和上面虚拟机配置文件里指定的是相同的:
rhel5_1:
# Xen Virtual Ethernet
DEVICE=eth0
HWADDR=00:16:3e:38:75:47
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=10.0.0.1
GATEWAY=10.0.0.254
TYPE=Ethernet
DEVICE=eth0
HWADDR=00:16:3e:38:75:47
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=10.0.0.1
GATEWAY=10.0.0.254
TYPE=Ethernet
rhel5_2:
# Xen Virtual Ethernet
DEVICE=eth0
HWADDR=00:16:3e:38:75:48
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=10.0.0.2
GATEWAY=10.0.0.254
TYPE=Ethernet
DEVICE=eth0
HWADDR=00:16:3e:38:75:48
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=10.0.0.2
GATEWAY=10.0.0.254
TYPE=Ethernet
然后在虚拟机里通过/etc/init.d/network restart来重启网络,虚拟机的eth0得到指定的ip。
4. 在Dom0下看ifconfig的结果:
vif1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet addr:10.0.0.128 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:79 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:7789 (7.6 KiB) TX bytes:5460 (5.3 KiB)
vif4.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet addr:10.0.0.129 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:74 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:7092 (6.9 KiB) TX bytes:5552 (5.4 KiB)
inet addr:10.0.0.128 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:79 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:7789 (7.6 KiB) TX bytes:5460 (5.3 KiB)
vif4.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet addr:10.0.0.129 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:74 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:7092 (6.9 KiB) TX bytes:5552 (5.4 KiB)
在两个虚拟机里修改/etc/resolv.conf文件:
nameserver 202.96.209.5
在虚拟机里向外ping域名:
ping [url]www.online.sh.cn[/url]
PING [url]www.online.sh.cn[/url] (218.1.64.33) 56(84) bytes of data.
64 bytes from 218.1.64.33: icmp_seq=1 ttl=243 time=2.40 ms
64 bytes from 218.1.64.33: icmp_seq=2 ttl=243 time=2.51 ms
PING [url]www.online.sh.cn[/url] (218.1.64.33) 56(84) bytes of data.
64 bytes from 218.1.64.33: icmp_seq=1 ttl=243 time=2.40 ms
64 bytes from 218.1.64.33: icmp_seq=2 ttl=243 time=2.51 ms
需要注意的地方:
1. 虚拟机里设置的网关10.0.0.254其实是不存在的,没有任何地方手工设置了这个ip地址,它也ping不通。
2. 以上实验是在我的本本eth0网卡连接网络的情况下做的,为了验证效果,我把网线拨掉,然后启用无线网卡:
/etc/init.d/network stop
/etc/init.d/NetworkManager start
/etc/init.d/NetworkManagerDispatcher start
/etc/init.d/NetworkManager start
/etc/init.d/NetworkManagerDispatcher start
NetworkManager自动连接到公司的无线网络,我再从虚拟机里ping域名,发现能够ping通,这证明虚拟NAT网络的连通性与具体的网卡无关。
3. 我没有修改Dom0上任何iptables的设置,以下是Dom0刚启动以后的iptables规则列表(没有做过任何iptables的操作):
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpts:0:1023
DROP udp -- anywhere anywhere udp dpts:0:1023
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
DROP icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpts:0:1023
DROP udp -- anywhere anywhere udp dpts:0:1023
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
DROP icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
NAT规则:
# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
由于FORWARD链的默认策略是DROP,造成两个虚拟机之间相互ping不通,我修改了FORWARD链的默认策略,使它接受FORWARD数据包:
iptables -P FORWARD ACCEPT
再用iptables -L命令看FORWARD链:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
target prot opt source destination
或者以追加的形式修改FORWARD链:
iptables -A FORWARD -j ACCEPT
然后两个虚拟机之间就可以ping通了:
在10.0.0.2上ping 10.0.0.1:
ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=905 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=0.307 ms
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=905 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=0.307 ms
10.0.0.1也可以ping通10.0.0.2。