Я пытаюсь настроить тестовую среду Ovirt
У меня есть два хост-сервера.
Один из них - сервер управления ovirt (121.abc.xyz.47) Другой - сервер узлов ovirt, содержащий виртуальные машины (121.abc.xyz.48)
Так как мне нужен только публичный IP (121.abc.xyz.47, 121.abc.xyz.48), я попытался использовать NAT в узле узла ovirt.
К сожалению, ovirt не поддерживает NAT в коробке. Поэтому я реализовал NAT с использованием FireWalld в Ovirt-узла
Я ссылался на https://www.mjhall.org/centos7-firewalld-nat-router/ и, наконец, смог работать portforward.
Овирт-узел имеет две сетевые карты
121.abc.xyz.48 (для общего пользования)10.0.0.1 (для внутреннего шлюза)
ВМ есть один NIC
10.0.0.10 (связан с Ovirt-узлом)
Я настроил переадресацию портов
121.abc.xyz.48 Порт 1922 ------> 10.0.0.10 Порт 22
Таким образом, я могу подключиться к ВМ извне 121.abc.xyz.48:1922, используя ssh.
Но странно то, что я не могу подключиться в Ovirt Management Server (121.abc.xyz.47)
В Ovirt управляйте сервером (121.abc.xyz.47)
ssh 121.abc.xyz.48 -p 1922 не работает.
Я попробовал nmap проверить
Nmap scan report for 121.abc.xyz.48
Host is up (0.00017s latency).
PORT STATE SERVICE
1922/tcp filtered unknown
На другом сервере (например, AWS или моем ноутбуке)
Nmap scan report for 121.abc.xyz.48
Host is up (0.0027s latency).
PORT STATE SERVICE
1922/tcp open unknown
Кажется, что брандмауэр блокирует, но я не понимаю, почему и не могу заставить его работать.
SSH Подключение от ovirt-manager к ovirt-node работает нормально.
ssh user@121.abc.xyz.48
Дополнительная информация о ovirt-node
[root@ovirt-node-1 ~]# firewall-cmd --list-all-zone
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: enp3s0f0.10
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp3s0f0 ovirtmgmt
sources:
services: dhcpv6-client ssh cockpit libvirt-tls snmp vdsm ovirt-imageio ovirt-vmconsole nfs mountd rpc-bind
ports: 22/tcp 6081/udp 1922/tcp 1923/tcp 1924/tcp
protocols:
masquerade: yes
forward-ports: port=1923:proto=tcp:toport=22:toaddr=10.0.0.11
port=1922:proto=tcp:toport=22:toaddr=10.0.0.10
port=1924:proto=tcp:toport=22:toaddr=10.0.0.12
source-ports:
icmp-blocks:
rich rules:
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: lo
sources:
services:
ports: 1922/tcp
protocols:
masquerade: yes
forward-ports: port=1922:proto=tcp:toport=22:toaddr=10.0.0.11
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ovirt-node-1 ~]# firewall-cmd --direct --get-all-rules
ipv4 nat POSTROUTING 0 -o enp3s0f0 -j MASQUERADE
ipv4 filter FORWARD 0 -i enp3s0f0.10 -o enp3s0f0 -j ACCEPT
ipv4 filter FORWARD 0 -i enp3s0f0 -o enp3s0f0.10 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@ovirt-node-1 ~]# ifconfig
enp3s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 78:e3:b5:0d:ca:64 txqueuelen 1000 (Ethernet)
RX packets 93885909 bytes 12689805670 (11.8 GiB)
RX errors 0 dropped 20 overruns 0 frame 0
TX packets 3514220 bytes 1021465288 (974.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp3s0f0.10: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::7ae3:b5ff:fe0d:ca64 prefixlen 64 scopeid 0x20<link>
ether 78:e3:b5:0d:ca:64 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 32 bytes 2076 (2.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
genev_sys_6081: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 65470
inet6 fe80::bc4f:95ff:fe8c:8e8f prefixlen 64 scopeid 0x20<link>
ether be:4f:95:8c:8e:8f txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 62 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 33377749 bytes 445898276366 (415.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 33377749 bytes 445898276366 (415.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
logical-nat: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255
ether 78:e3:b5:0d:ca:64 txqueuelen 1000 (Ethernet)
RX packets 161938 bytes 10324275 (9.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 164960 bytes 211580742 (201.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ovirtmgmt: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 121.abc.xyz.48 netmask 255.255.255.128 broadcast 121.abc.xyz.127
inet6 fe80::7ae3:b5ff:fe0d:ca64 prefixlen 64 scopeid 0x20<link>
ether 78:e3:b5:0d:ca:64 txqueuelen 1000 (Ethernet)
RX packets 48027782 bytes 7305610328 (6.8 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3208451 bytes 986435526 (940.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether fe:1a:4a:16:01:01 txqueuelen 1000 (Ethernet)
RX packets 47370 bytes 3764060 (3.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 102295804 bytes 8492211393 (7.9 GiB)
TX errors 0 dropped 67129 overruns 0 carrier 0 collisions 0
vnet1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether fe:1a:4a:16:01:00 txqueuelen 1000 (Ethernet)
RX packets 58275 bytes 4985405 (4.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 102423048 bytes 8513010554 (7.9 GiB)
TX errors 0 dropped 230173 overruns 0 carrier 0 collisions 0
vnet2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::fc1a:4aff:fe16:102 prefixlen 64 scopeid 0x20<link>
ether fe:1a:4a:16:01:02 txqueuelen 1000 (Ethernet)
RX packets 81360 bytes 6133571 (5.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 84437 bytes 201542630 (192.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@ovirt-node-1 ~]# brctl show
bridge name bridge id STP enabled interfaces
;vdsmdummy; 8000.000000000000 no
logical-nat 8000.78e3b50dca64 no enp3s0f0.10
vnet0
vnet1
vnet2
ovirtmgmt 8000.78e3b50dca64 no enp3s0f0