马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
netns 可以创建一个完全隔离的新网络环境,这个环境包括一个独立的网卡空间,路由表,ARP表,ip地址表,iptables等。总之,与网络有关的组件都是独立的。
0 K' b+ L# A1 n3 Q
" P- X' ]+ Q- m# y/ p/ `创建网络空间: # ip netns add ns1/ H; y( j0 r% w' J7 i% ~/ a8 {
查看网络空间: # ip netns list/ _3 C! L- E" O4 a! t; H k
删除网络空间: # ip netns del ns1
9 {2 ]3 m1 S& ?6 V- S/ e# r进入网络空间执行命令: # ip netns exec ns1 `command`6 d9 P; m3 F. g8 X: M' G* g
* H0 y. ]+ `5 A
实例一:
2 @, w) r. p. S6 C7 X* e 用netns连接两个隔离环境中的虚拟机,如图: - p( A0 Y {! N# P% P5 x0 Y) j8 q6 R, c
在虚拟化中有两个虚拟机网络隔离环境需要通信。 系统: centos7.2 x64 安装程序包# yum install bridge-utils libvirt libvirt-client virt-install virt-viewer net-tools -y# brctl addbr br0# brctl addbr br1# ifconfig br0 up# ifconfig br1 up
( ?5 d1 }+ u s& c# q% F取消默认nat网络模式# mv /etc/libvirt/qemu/networks/default.xml /etc/libvirt/qemu/networks/default.xml_bak# systemctl start libvirtd( k' H3 z( v; b( F# Z" ?+ f: c
创建虚拟机并连接至br0# virt-install --name vm1 --ram 512 --vcpus=1 --disk /images/linux/cirros-0.3.5-i386-disk-1.img --network bridge=br0,model=virtio --force --import --nographics --serial=pty --console=pty打开第二个终端创建第二个虚拟机并连接至br1# virt-install --name vm2 --ram 512 --vcpus=1 --disk /images/linux/cirros-0.3.5-i386-disk-2.img --network bridge=br1,model=virtio --force --import --nographics --serial=pty --console=pty# brctl showbridge name bridge id STP enabled interfacesbr0 8000.fe54007e1861 no vnet0br1 8000.fe5400be1885 no vnet1
8 k/ o+ E, ?( A& ]到此,虚拟机已经连接上各自的桥设备了。完成如图:
3 A; ?% D* d. L8 ?$ l创建虚拟网络空间:# ip netns add ns1# ip netns listns1
- Y$ W0 G1 U% y* \! H/ K9 W8 h2 f接下来创建一张虚拟网卡,虚拟网卡分为前半段和后半段,我们将前半段添加到br0中,并将后半段添加到虚拟网络空间中,这样br0桥设备中主机就能够连接到虚拟网络空间中。 # ip link add net-in type veth peer name net-out# ifconfig net-in up# ifconfig net-out up7 P8 i5 U3 n( E+ J; v( y+ X
将net-in虚拟网卡添加到br0中,将net-out虚拟网卡添加到ns1中 # brctl addif br0 net-in查看是否添加成功# brctl show br0bridge name bridge id STP enabled interfacesbr0 8000.46c7e9d2c0fa no net-in vnet0
$ M2 O6 V. B Y6 ~% ~; P- n将net-out添加到ns1中,并重命名为eth0# ip link set dev net-out name eth0 netns ns1
: D* N( @ n$ ?& H4 D6 f% [5 R1 k, G查看是否添加成功# ip netns exec ns1 ifconfig -aeth0: flags=4098<BROADCAST,MULTICAST> mtu 1500 ether a2:07:dc:ba:35:a2 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=8<LOOPBACK> mtu 65536 loop txqueuelen 0 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0# ip netns exec ns1 ifconfig lo up% z; t+ T/ p! ]
现在vm1 --> br0 --> ns1 网络做通了,完成如下图: " z- R" A6 M5 c
同理,和上面操作一样。 # ip link add net1-in type veth peer name net1-out# ifconfig net1-in up# ifconfig net1-out up# brctl addif br1 net1-in# brctl show br1bridge name bridge id STP enabled interfacesbr1 8000.1291a963b290 no net1-in vnet1# ip link set dev net1-out name eth1 netns ns1$ ~5 Q. t/ m7 t' w/ z5 ^
4 F1 J$ }% G7 L5 q* T# ip netns exec ns1 ifconfig -aeth0: flags=4098<BROADCAST,MULTICAST> mtu 1500 ether a2:07:dc:ba:35:a2 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0eth1: flags=4098<BROADCAST,MULTICAST> mtu 1500 ether 02:d4:3c:7d:3b:2e txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 0 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0* ]% Y" y, g/ I
ip地址配置如下:% C9 ^% a9 i7 V% ~! ~0 U5 q" L$ H
2 ?9 H# o: I6 K! @vm1 - eth0 : 192.168.1.2: p$ Q. }! ?, C# P
ns1 - eth0 : 192.168.1.1; k1 ~5 d! v/ T4 g% v4 Y7 h% n
* H+ F6 [, b8 E0 [- Avm2 - eth0 : 172.168.10.2
2 T- ~! H5 Q1 `- Hns1 - eth0 : 172.168.10.1 记住:当宿主机开启了网络转发功能,虚拟网络空间才会开启,在以上场景中,必须开启网络转发功能。 # sysctl -w net.ipv4.ip_forward=1net.ipv4.ip_forward = 1
$ ?) o% E# ~* Z' s
. ~4 P7 P4 m# v" Bvm1 - eth0 网络配置如下: # ifconfig lo up # ifconfig eth0 192.168.1.2/24 up# ifconfig eth0 Link encap:Ethernet HWaddr 52:54:00:7E:18:61 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::5054:ff:fe7e:1861/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:2 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:648 (648.0 B) TX bytes:168 (168.0 B)lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ x, I. A5 W# s: d8 Uns1 - eth0 网络配置如下: # ip netns exec ns1 ifconfig lo up# ip netns exec ns1 ifconfig eth0 192.168.1.1/24 up# ip netns exec ns1 ifconfig eth0eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 ether a2:07:dc:ba:35:a2 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
) b) r& c. {) L, Q) A3 c; w' ^8 D: g
vm2 - eth0 网络配置如下: # ifconfig lo up# ifconfig eth0 172.168.10.2/24 up# ifconfig eth0eth0 Link encap:Ethernet HWaddr 52:54:00:BE:18:85 inet addr:172.168.10.2 Bcast:172.168.255.255 Mask:255.255.0.0 inet6 addr: fe80::5054:ff:febe:1885/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:2 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:648 (648.0 B) TX bytes:168 (168.0 B)
) b! `/ g- |- N0 {5 a" P1 s3 h4 e8 Q. \( w( D
ns1 - eth1 网络配置如下: # ip netns exec ns1 ifconfig eth1 172.168.10.1/24 up# ip netns exec ns1 ifconfig eth1eth1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 172.168.10.1 netmask 255.255.255.0 broadcast 172.168.10.255 ether 02:d4:3c:7d:3b:2e txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
1 O$ p1 J: j7 ?* I
& ]6 A' U1 A6 P% @为虚拟机指定路由: vm1 :# ping 192.168.1.1 -c1PING 192.168.1.1 (192.168.1.1): 56 data bytes64 bytes from 192.168.1.1: seq=0 ttl=64 time=0.811 ms--- 192.168.1.1 ping statistics ---1 packets transmitted, 1 packets received, 0% packet lossround-trip min/avg/max = 0.811/0.811/0.811 ms# ip route add default via 192.168.1.1
/ V3 x+ ?0 Q. d$ U9 }注意:如果ping不通,请检查链路上的网卡状态是否是up状态。 vm2 :# ping 172.168.10.1 -c1PING 172.168.10.1 (172.168.10.1): 56 data bytes64 bytes from 172.168.10.1: seq=0 ttl=64 time=2.385 ms--- 172.168.10.1 ping statistics ---1 packets transmitted, 1 packets received, 0% packet lossround-trip min/avg/max = 2.385/2.385/2.385 ms添加默认路由# ip route add default via 172.168.10.1
& _5 |+ p: ?% U5 V% L) ?% |+ d$ O) X- i. Y- {- g! b, i
接下来,使用ping测试。 vm1 - eth0 : 192.168.1.2 --> ns1 - eth1 : 172.168.10.1# ping 172.168.10.1 -c1PING 172.168.10.1 (172.168.10.1): 56 data bytes64 bytes from 172.168.10.1: seq=0 ttl=64 time=0.426 ms--- 172.168.10.1 ping statistics ---1 packets transmitted, 1 packets received, 0% packet lossround-trip min/avg/max = 0.426/0.426/0.426 ms能够达到ns1 eth1网卡,说明ns1从eth0 - 192.168.10.1 转发到了 172.168.10.1vm1 - eth0 : 192.168.1.2 --> vm2 - eth0 : 172.168.10.2; t! l# I( l% o- r& s/ ~5 C; Y% @
! F* Y- E2 U/ i5 b4 z, [' A
5 I$ A5 W0 P+ K/ ~! D$ T+ z: }" G这样,就完成了在宿主机中,两个虚拟主机隔离模式的通信。 * [* B/ g" E7 ?$ O9 R" x4 V. B* L
5 M& S; y" s" B7 Q4 x: u# P$ l( J实例二:
) U# ]# A9 C3 o. |1 z; G9 c# ?8 N, J' M7 S# ]) @" V
说明:宿主机中两组隔离模型,其中只有一组可以访问公网 接下来,在模式一的基础上进行修改:6 H0 j0 w! P l' E% I" f
9 |1 A& y8 w; u! u$ e # ip netns del ns14 m3 G' _5 ^( V$ e5 {
' n$ d8 e" K+ @
删除虚拟网络空间模式,所有和虚拟网络空间有关的虚拟网卡都会被删除。 现在的模式如下:
! {! }3 v1 N, x" ^8 w) M4 q! zvm1: 192.168.1.2/24$ i. g* t0 r9 a# }/ Z) U3 i. H
vm2: 192.168.1.2/24
) w6 [4 A6 o' U! ins1: 192.168.1.1/240 D' |: i+ L+ {
& ] f; i1 Q5 a6 N5 ^/ G3 c2 K/ a这里故意把vm1和vm2的ip设置为一样,方便我们进行测试。 添加虚拟网络空间# ip netns add ns1# ip link add net-in type veth peer name net-out# ifconfig net-in up# ifconfig net-out up* C) V5 P% `; E1 ?$ z X% Z
添加net-in到br0,添加net-out到虚拟网络空间ns1# brctl addif br0 net-in# ip link set dev net-out name eth0 netns ns1为ns1启动网卡并配置ip地址# ip netns exec ns1 ifconfig lo up# ip netns exec ns1 ifconfig eth0 192.168.1.1 netmask 255.255.255.0 up
3 H/ |1 t3 |5 t1 S: P为vm1配置网关为192.168.1.1( t' H! v4 @, V n2 _! f, ]* X' u
% l% X3 l' d5 L, Z+ H
创建桥设备,并将物理网卡添加到桥设备中,这里建议直接修改物理网卡配置文件 cp -a ifcfg-eno16777736 ifcfg-br-out# vim ifcfg-eno16777736 TYPE=EthernetBOOTPROTO=noneDEFROUTE=yesPEERDNS=yesPEERROUTES=yesIPV4_FAILURE_FATAL=noIPV6INIT=noNAME=eno16777736UUID=100e462e-c0d0-4271-9b5a-1c8e47ff0d03DEVICE=eno16777736ONBOOT=yesBRIDGE=br-out# vim ifcfg-br-out TYPE=BridgeBOOTPROTO=noneDEFROUTE=yesPEERDNS=yesPEERROUTES=yesIPV4_FAILURE_FATAL=noIPV6INIT=noNAME=br-outDEVICE=br-outONBOOT=yesIPADDR=10.0.0.11NETMASK=255.255.255.0GATEWAY=10.0.0.1DNS1=10.0.0.1DNS2=114.114.114.114重启下网络# systemctl restart network物理网卡添加成功# brctl show br-outbridge name bridge id STP enabled interfacesbr-out 8000.000c2923e15d no eno167777369 b z; L. ^) G! s" X- V3 N$ l
+ T" H9 _% `. I! c8 L, L* u现在创建一对网卡,连接ns1和br-out 6 j2 M$ y$ z, _1 K; N
# ip link add net1-in type veth peer name net1-out# ifconfig net1-in up# ifconfig net1-out up# ip link set dev net1-in name eth1 netns ns1# brctl addif br-out net1-out# brctl show br-outbridge name bridge id STP enabled interfacesbr-out 8000.000c2923e15d no eno16777736 net1-out6 L; _- B, u$ X' T: _( n2 j7 f
1 T- j/ j3 f7 ?+ F我真实局域网的ip为10.0.0.0/24+ n0 u; U# S( O' d1 q' Z
6 C! ]" r" }( T因此添加到ns1中的eth1要配置到同网段 # ip netns exec ns1 ifconfig eth1 10.0.0.12 netmask 255.255.255.0 up
* \: z1 h' H8 C' p. h* ]% B; C
1 C' S8 f: a* y- e! z. s9 z能够到达网关了。
- \5 G' A, h6 O; M7 Y5 \: w& A C R( A! ~% R7 U2 y) \
已实现如下:
" b! D2 t2 \7 f# t8 ]1 ~% w在ns1中添加源地址转换 # ip netns exec ns1 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j SNAT --to-source 10.0.0.12# ip netns exec ns1 ip route default via 10.0.0.1
8 y8 h9 {9 _, J. P3 I- [0 w* l0 G" E) ]再次通过vm1 ping 公网ip
3 h2 |, L/ a; M2 Z7 D+ i6 n2 X2 v1 T7 I: T" T
这样就实现了宿主机内部分网络中的主机可以访问公网,部分主机没有访问公网权限。 1 Z/ J9 g" B* e5 R8 l8 g
总之,网络逻辑很重要。
# B/ X5 u/ i7 c! W | 
/4 
窥视卡
雷达卡
发表于 2019-6-21 15:02:52
' {; ~8 ^8 p/ |# j) Z
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
