????:CS4.0.2+KVM;??????????????????????????????A??B
????:??A??????????????????,??????????????????:????????????????????????
[root@32 /]# iptables -L -v -n
Chain INPUT (policy ACCEPT 2024K packets, 970M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:67
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
500K 255M BF-cloudbr2 all -- * cloudbr2 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-is-bridged
127 15619 BF-cloudbr2 all -- cloudbr2 * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-is-bridged
127 15619 DROP all -- * cloudbr2 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- cloudbr2 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * virbr0 0.0.0.0/0
192.168.122.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 2063K packets, 1839M bytes)
pkts bytes target prot opt in out source destination
Chain BF-cloudbr2 (2 references)
pkts bytes target prot opt in out source destination
219K 205M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
281K 50M BF-cloudbr2-IN all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-is-in --physdev-is-bridged
281K 50M BF-cloudbr2-OUT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-is-out --physdev-is-bridged
9660 759K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out eth2 --physdev-is-bridged
Chain BF-cloudbr2-IN (1 references)
pkts bytes target prot opt in out source destination
304 91814 r-189-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet0 --physdev-is-bridged
0 0 i-2-188-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet2 --physdev-is-bridged
25219 2144K i-9-145-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet3 --physdev-is-bridged
2225 444K i-8-170-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet4 --physdev-is-bridged
89 15736 i-2-151-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet5 --physdev-is-bridged
441 50780 i-8-157-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
3688 537K i-4-124-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet7 --physdev-is-bridged
3249 211K i-7-158-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet8 --physdev-is-bridged
Chain BF-cloudbr2-OUT (1 references)
pkts bytes target prot opt in out source destination
34215 6143K r-189-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet0 --physdev-is-bridged
34001 6158K i-2-188-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet2 --physdev-is-bridged
31479 5924K i-9-145-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet3 --physdev-is-bridged
33737 6101K i-8-170-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet4 --physdev-is-bridged
33955 6138K i-2-151-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet5 --physdev-is-bridged
33985 6154K i-8-157-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet6 --physdev-is-bridged
33973 6145K i-4-124-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet7 --physdev-is-bridged
34283 6203K i-7-158-def all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet8 --physdev-is-bridged
Chain i-2-151-VM (1 references)
pkts bytes target prot opt in out source destination
4749 681K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:1:65535 state NEW
7680 2801K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:1:65535 state NEW
32 1944 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 255
21468 2645K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-2-151-VM-eg (1 references)
pkts bytes target prot opt in out source destination
89 15736 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-2-151-def (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet5 --physdev-is-bridged udp spt:68 dpt:67
26 9441 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet5 --physdev-is-bridged udp spt:67
dpt:68
0 0 RETURN udp -- * * 10.6.32.33 0.0.0.0/0
PHYSDEV match --physdev-in vnet5 --physdev-is-bridged udp dpt:53
89 15736 i-2-151-VM-eg all -- * * 10.6.32.33
0.0.0.0/0 PHYSDEV match --physdev-in vnet5 --physdev-is-bridged
33929 6129K i-2-151-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet5 --physdev-is-bridged
Chain i-2-188-VM (1 references)
pkts bytes target prot opt in out source destination
4788 700K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:1:65535 state NEW
7684 2801K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:1:65535 state NEW
29 1764 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 255
21474 2646K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-2-188-VM-eg (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-2-188-def (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet2 --physdev-is-bridged udp spt:68 dpt:67
26 9441 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet2 --physdev-is-bridged udp spt:67
dpt:68
0 0 RETURN udp -- * * 10.6.32.29 0.0.0.0/0
PHYSDEV match --physdev-in vnet2 --physdev-is-bridged udp dpt:53
0 0 i-2-188-VM-eg all -- * * 10.6.32.29
0.0.0.0/0 PHYSDEV match --physdev-in vnet2 --physdev-is-bridged
33975 6149K i-2-188-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet2 --physdev-is-bridged
Chain i-4-124-VM (1 references)
pkts bytes target prot opt in out source destination
4783 689K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:1:65535 state NEW
7676 2800K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:1:65535 state NEW
30 1824 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 255
21460 2645K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-4-124-VM-eg (1 references)
pkts bytes target prot opt in out source destination
3662 535K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-4-124-def (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet7 --physdev-is-bridged udp spt:68 dpt:67
24 8718 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet7 --physdev-is-bridged udp spt:67
dpt:68
26 1612 RETURN udp -- * * 10.6.32.50 0.0.0.0/0
PHYSDEV match --physdev-in vnet7 --physdev-is-bridged udp dpt:53
3662 535K i-4-124-VM-eg all -- * * 10.6.32.50
0.0.0.0/0 PHYSDEV match --physdev-in vnet7 --physdev-is-bridged
33949 6136K i-4-124-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet7 --physdev-is-bridged
Chain i-7-158-VM (1 references)
pkts bytes target prot opt in out source destination
5000 744K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:1:65535 state NEW
7754 2803K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:1:65535 state NEW
30 1824 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 255
21475 2645K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-7-158-VM-eg (1 references)
pkts bytes target prot opt in out source destination
2605 169K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-7-158-def (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet8 --physdev-is-bridged udp spt:68 dpt:67
24 8718 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet8 --physdev-is-bridged udp spt:67
dpt:68
644 41909 RETURN udp -- * * 10.6.32.32 0.0.0.0/0
PHYSDEV match --physdev-in vnet8 --physdev-is-bridged udp dpt:53
2605 169K i-7-158-VM-eg all -- * * 10.6.32.32
0.0.0.0/0 PHYSDEV match --physdev-in vnet8 --physdev-is-bridged
34259 6194K i-7-158-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet8 --physdev-is-bridged
Chain i-8-157-VM (1 references)
pkts bytes target prot opt in out source destination
4783 697K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:1:65535 state NEW
7680 2801K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:1:65535 state NEW
29 1764 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 255
21467 2645K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-8-157-VM-eg (1 references)
pkts bytes target prot opt in out source destination
441 50780 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:1:65535 state NEW
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:1:65535 state NEW
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 255
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-8-157-def (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet6 --physdev-is-bridged udp spt:68 dpt:67
26 9441 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet6 --physdev-is-bridged udp spt:67
dpt:68
0 0 RETURN udp -- * * 10.6.32.65 0.0.0.0/0
PHYSDEV match --physdev-in vnet6 --physdev-is-bridged udp dpt:53
441 50780 i-8-157-VM-eg all -- * * 10.6.32.65
0.0.0.0/0 PHYSDEV match --physdev-in vnet6 --physdev-is-bridged
33959 6144K i-8-157-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet6 --physdev-is-bridged
Chain i-8-170-VM (1 references)
pkts bytes target prot opt in out source destination
4533 644K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:1:65535 state NEW
7680 2801K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:1:65535 state NEW
30 1824 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 255
21468 2645K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-8-170-VM-eg (1 references)
pkts bytes target prot opt in out source destination
1960 426K RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:1:65535 state NEW
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:1:65535 state NEW
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 255
72 2880 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-8-170-def (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
12 4128 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet4 --physdev-is-bridged udp spt:68 dpt:67
26 9441 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet4 --physdev-is-bridged udp spt:67
dpt:68
181 10588 RETURN udp -- * * 10.6.32.25 0.0.0.0/0
PHYSDEV match --physdev-in vnet4 --physdev-is-bridged udp dpt:53
2032 429K i-8-170-VM-eg all -- * * 10.6.32.25
0.0.0.0/0 PHYSDEV match --physdev-in vnet4 --physdev-is-bridged
33711 6091K i-8-170-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet4 --physdev-is-bridged
Chain i-9-145-VM (1 references)
pkts bytes target prot opt in out source destination
31453 5915K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-9-145-VM-eg (1 references)
pkts bytes target prot opt in out source destination
21148 1903K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain i-9-145-def (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet3 --physdev-is-bridged udp spt:68 dpt:67
26 9441 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet3 --physdev-is-bridged udp spt:67
dpt:68
4071 241K RETURN udp -- * * 10.6.32.31 0.0.0.0/0
PHYSDEV match --physdev-in vnet3 --physdev-is-bridged udp dpt:53
21148 1903K i-9-145-VM-eg all -- * * 10.6.32.31
0.0.0.0/0 PHYSDEV match --physdev-in vnet3 --physdev-is-bridged
31453 5915K i-9-145-VM all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vnet3 --physdev-is-bridged
Chain r-189-VM (2 references)
pkts bytes target prot opt in out source destination
304 91814 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vnet0 --physdev-is-bridged
34215 6143K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
[root@32 /]#
??B??????????????????,??????????????????:????????????????????????
[root@32 /]# service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 BF-cloudbr2 all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-is-bridged
2 BF-cloudbr2 all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-is-bridged
3 DROP all -- 0.0.0.0/0 0.0.0.0/0
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain BF-cloudbr2 (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 BF-cloudbr2-IN all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-is-in --physdev-is-bridged
3 BF-cloudbr2-OUT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-is-out --physdev-is-bridged
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match
--physdev-out eth2 --physdev-is-bridged
Chain BF-cloudbr2-IN (1 references)
num target prot opt source destination
1 i-2-217-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet6 --physdev-is-bridged
Chain BF-cloudbr2-OUT (1 references)
num target prot opt source destination
1 i-2-217-def all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vnet6 --physdev-is-bridged
Chain i-2-217-VM (1 references)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:1:65535 state NEW
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:1:65535 state NEW
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-217-VM-eg (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain i-2-217-def (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match
--physdev-in vnet6 --physdev-is-bridged udp spt:68 dpt:67
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match
--physdev-out vnet6 --physdev-is-bridged udp spt:67 dpt:68
4 RETURN udp -- 10.6.32.30 0.0.0.0/0 PHYSDEV match
--physdev-in vnet6 --physdev-is-bridged udp dpt:53
5 i-2-217-VM-eg all -- 10.6.32.30 0.0.0.0/0 PHYSDEV
match --physdev-in vnet6 --physdev-is-bridged
6 i-2-217-VM all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-out vnet6 --physdev-is-bridged
[root@32 /]#
????????????B??????????????ping????.
??????????????,??????????????,??????????????.
