Centos 7 O firewall portforward funciona na rede externa, mas não funciona na mesma rede.

Estou tentando configurar o ambiente de teste do Ovirt

Eu tenho dois servidores host.

Um é o servidor de gerenciamento de ovirt (121.abc.xyz.47) O outro é o servidor do nó ovirt que contém máquinas virtuais (121.abc.xyz.48)

Desde que eu só tenho que IP público (121.abc.xyz.47, 121.abc.xyz.48) Eu tentei usar NAT no host do nó ovirt.

Infelizmente, o ovirt não suporta NAT na caixa. Então eu implementei NAT usando o firewalld no nó ovirt

Eu referenciei o link e finalmente consegui trabalhar em porta.

O nó Ovirt tem dois NIC

121.abc.xyz.48 (para público) 10.0.0.1 (para interno, gateway)

VM tem um NIC

10.0.0.10 (conectado com o nó Ovirt)

Eu configurei o encaminhamento de porta

121.abc.xyz.48 Port 1922 ------ > 10.0.0.10 Port 22

Para que eu possa conectar-me à VM fora do 121.abc.xyz.48: 1922 usando o ssh.

Mas o mais estranho é que não consigo me conectar no Ovirt manage Server (121.abc.xyz.47)

No servidor de gerenciamento Ovirt (121.abc.xyz.47)

ssh 121.abc.xyz.48 -p 1922 não funciona.

Eu tentei o nmap para verificar

Nmap scan report for 121.abc.xyz.48 Host is up (0.00017s latency). PORT STATE SERVICE 1922/tcp filtered unknown

Em outro servidor (ex, AWS ou meu laptop) Nmap scan report for 121.abc.xyz.48 Host is up (0.0027s latency). PORT STATE SERVICE 1922/tcp open unknown

Parece que o firewall está bloqueando, mas não entendo o motivo e não consigo fazê-lo funcionar.

O SSH Connect do ovirt-manager para o ovirt-node funciona bem.

ssh [email protected]

Informações adicionais sobre o nó da ovirt

[root@ovirt-node-1 ~]# firewall-cmd --list-all-zone
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


external
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


home
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh mdns samba-client dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


internal (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: enp3s0f0.10
  sources:
  services: ssh mdns samba-client dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0f0 ovirtmgmt
  sources:
  services: dhcpv6-client ssh cockpit libvirt-tls snmp vdsm ovirt-imageio ovirt-vmconsole nfs mountd rpc-bind
  ports: 22/tcp 6081/udp 1922/tcp 1923/tcp 1924/tcp
  protocols:
  masquerade: yes
  forward-ports: port=1923:proto=tcp:toport=22:toaddr=10.0.0.11
    port=1922:proto=tcp:toport=22:toaddr=10.0.0.10
    port=1924:proto=tcp:toport=22:toaddr=10.0.0.12
  source-ports:
  icmp-blocks:
  rich rules:

trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: lo
  sources:
  services:
  ports: 1922/tcp
  protocols:
  masquerade: yes
  forward-ports: port=1922:proto=tcp:toport=22:toaddr=10.0.0.11
  source-ports:
  icmp-blocks:
  rich rules:


work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

[root@ovirt-node-1 ~]# firewall-cmd --direct --get-all-rules


ipv4 nat POSTROUTING 0 -o enp3s0f0 -j MASQUERADE
ipv4 filter FORWARD 0 -i enp3s0f0.10 -o enp3s0f0 -j ACCEPT
ipv4 filter FORWARD 0 -i enp3s0f0 -o enp3s0f0.10 -m state --state RELATED,ESTABLISHED -j ACCEPT

[root@ovirt-node-1 ~]# ifconfig

enp3s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 78:e3:b5:0d:ca:64  txqueuelen 1000  (Ethernet)
        RX packets 93885909  bytes 12689805670 (11.8 GiB)
        RX errors 0  dropped 20  overruns 0  frame 0
        TX packets 3514220  bytes 1021465288 (974.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp3s0f0.10: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::7ae3:b5ff:fe0d:ca64  prefixlen 64  scopeid 0x20<link>
        ether 78:e3:b5:0d:ca:64  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 32  bytes 2076 (2.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

genev_sys_6081: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 65470
        inet6 fe80::bc4f:95ff:fe8c:8e8f  prefixlen 64  scopeid 0x20<link>
        ether be:4f:95:8c:8e:8f  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 62  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 33377749  bytes 445898276366 (415.2 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 33377749  bytes 445898276366 (415.2 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

logical-nat: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255
        ether 78:e3:b5:0d:ca:64  txqueuelen 1000  (Ethernet)
        RX packets 161938  bytes 10324275 (9.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 164960  bytes 211580742 (201.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ovirtmgmt: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 121.abc.xyz.48  netmask 255.255.255.128  broadcast 121.abc.xyz.127
        inet6 fe80::7ae3:b5ff:fe0d:ca64  prefixlen 64  scopeid 0x20<link>
        ether 78:e3:b5:0d:ca:64  txqueuelen 1000  (Ethernet)
        RX packets 48027782  bytes 7305610328 (6.8 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3208451  bytes 986435526 (940.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether fe:1a:4a:16:01:01  txqueuelen 1000  (Ethernet)
        RX packets 47370  bytes 3764060 (3.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 102295804  bytes 8492211393 (7.9 GiB)
        TX errors 0  dropped 67129 overruns 0  carrier 0  collisions 0

vnet1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether fe:1a:4a:16:01:00  txqueuelen 1000  (Ethernet)
        RX packets 58275  bytes 4985405 (4.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 102423048  bytes 8513010554 (7.9 GiB)
        TX errors 0  dropped 230173 overruns 0  carrier 0  collisions 0

vnet2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fc1a:4aff:fe16:102  prefixlen 64  scopeid 0x20<link>
        ether fe:1a:4a:16:01:02  txqueuelen 1000  (Ethernet)
        RX packets 81360  bytes 6133571 (5.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 84437  bytes 201542630 (192.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@ovirt-node-1 ~]# brctl show
bridge name bridge id       STP enabled interfaces
;vdsmdummy;     8000.000000000000   no
logical-nat     8000.78e3b50dca64   no      enp3s0f0.10
                            vnet0
                            vnet1
                            vnet2
ovirtmgmt       8000.78e3b50dca64   no      enp3s0f0