我想使用ssh连接到服务器1.2.3.4托管的虚拟vm。 虚拟机的IP是10.10.10.100。

"NFT列表规则集"打印:

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        iif "lo" accept comment "Accept any localhost traffic"
        ct state invalid drop comment "Drop invalid connections"
        ct state established,related accept comment "Accept traffic originated from us"
        ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"
        ip protocol icmp icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept comment "Accept ICMP"
        ip protocol igmp accept comment "Accept IGMP"
        tcp dport ssh accept comment "Accept SSH on port 22"
        tcp dport { http, https, 8008, http-alt } accept comment "Accept HTTP (ports 80, 443, 8008, 8080)"
    }
    chain forward {
        type filter hook forward priority 0; policy drop;
    }
    chain output {
        type filter hook output priority 0; policy accept;
    }
}
table ip nat {
    chain input {
        type nat hook input priority 0; policy accept;
        counter packets 3 bytes 180
    }
    chain prerouting {
        type nat hook prerouting priority -101; policy accept;
        counter packets 12 bytes 2122
        dnat to tcp dport map { 10100 : 10.10.10.100 }:tcp dport map { 10100 : ssh }
    }
    chain postrouting {
        type nat hook postrouting priority 0; policy accept;
        snat to ip saddr map { 1.2.3.4 : 10.10.10.100 }
    }
}

"nmap-p10100 1.2.3.4"表示:10100/TCP过滤ITAP DDTP

"ssh 1.2.3.4"起作用。

在服务器"ssh 10.10.10.100"上工作

"sysctl net.ipv4.ip_forward"打印"net.ipv4.ip_forward=1"

最佳回复

我的问题是virt manager和nftables不兼容。 virt管理器使用iptables。 可能有解决办法。 使用virt管理器对我来说比使用nftables更重要。

virt管理器支持firewalld。所以我"必须"学火球(: