centos桥接测试

字数统计: 933阅读时长: 4 min

 2017/07/25 

需求

机器上的虚拟机桥接宿主机的网卡上网，类似于 vmware workstation，宿主机和虚拟机都接网桥上，虚拟机和宿主机同一个网段。

原有配置

centos7

cat ifcfg-eth0

TYPE="Ethernet"
BOOTPROTO="static"
DEFROUTE="yes"
NAME="eth0"
DEVICE="eth0"
ONBOOT="yes"
IPADDR=192.168.2.51
NETMASK=255.255.255.0
GATEWAY=192.168.2.1

开搞

# 加载内核模块
modprobe br_netfilter

modinfo -F filename br_netfilter &>/dev/null && \
    echo br_netfilter > /etc/modules-load.d/br_netfilter.conf

# 安装桥接需要的工具
yum install -y bridge-utils

1 2	# 备份网卡配置文件 cp ifcfg-eth0 bak.ifcfg-eth0

因为要桥接，所以 eth0 会变成一个网线一样。

管理 ip 在网桥上的配置

改完的配置文件

$ cat ifcfg-eth0 
TYPE="Ethernet"
NAME="eth0"
DEVICE="eth0"
ONBOOT="yes"
NM_CONTROLLED=no
BRIDGE=br0

$ cat ifcfg-br0 
TYPE="Bridge"
BOOTPROTO="static"
DEFROUTE="yes"
NAME="br0"
DEVICE="br0"
ONBOOT="yes"
IPADDR=192.168.2.51
NETMASK=255.255.255.0
GATEWAY=192.168.2.1
NM_CONTROLLED=no

这个时候网络就变成了这样：

+----------------------------------------------------+
|                                                    |
|       +------------------------------------+       |
|       |        Newwork Protocol Stack      |       |
|       +------------------------------------+       |
|                          ↑                         |
|..........................|.........................|
|                          ↓                         |
|        +------+     +--------+                     |
|        |      |     | .2.51  |                     |
|        +------+     +--------+                     |
|        | eth0 |<--->|   br0  |                     |
|        +------+     +--------+                     |
|            ↑                                       |
|            |                                       |
|            |                                       |
|            |                                       |
+------------|---------------------------------------+
             ↓
     Physical Network

管理 ip 不在网桥上的配置

这里我们网桥不配置 ip，单独创建一对 veth。

$ ip link add vmg0 type veth peer name vmg1
$ ip a s 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether 1e:3b:2f:5d:1a:4f brd ff:ff:ff:ff:ff:ff
    inet6 fe80::1c3b:2fff:fe5d:1a4f/64 scope link 
       valid_lft forever preferred_lft forever
3: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 1e:3b:2f:5d:1a:4f brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.51/24 brd 192.168.2.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::1c3b:2fff:fe5d:1a4f/64 scope link 
       valid_lft forever preferred_lft forever
8: vmg1@vmg0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 7a:37:b5:c3:a2:93 brd ff:ff:ff:ff:ff:ff
9: vmg0@vmg1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 96:22:f4:ec:e7:92 brd ff:ff:ff:ff:ff:ff

$ cat ifcfg-eth0
TYPE="Ethernet"
NAME="eth0"
DEVICE="eth0"
ONBOOT="yes"
BRIDGE=br0

$ ifcfg-br0
TYPE="Bridge"
BOOTPROTO="none"
NAME="br0"
DEVICE="br0"
ONBOOT="yes"

$ cat ifcfg-vmg0
TYPE="Ethernet"
NAME="vmg0"
DEVICE="vmg0"
ONBOOT="yes"
BRIDGE=br0

$ cat ifcfg-vmg1
TYPE="Ethernet"
BOOTPROTO="static"
#DEFROUTE="yes"
NAME="vmg1"
DEVICE="vmg1"
ONBOOT="yes"
IPADDR=192.168.2.51
NETMASK=255.255.255.0
GATEWAY=192.168.2.1

$ systemctl restart network

$  brctl show
bridge name	  bridge id		    STP enabled	  interfaces
br0		      8000.1e3b2f5d1a4f	no		      eth0
                                              vmg0

这个时候网络就变成了这样：

+----------------------------------------------------------------+
|                                                                |
|       +------------------------------------------------+       |
|       |             Newwork Protocol Stack             |       |
|       +------------------------------------------------+       |
|                                                     ↑          |
|.....................................................|..........|
|                                                     ↓          |
|        +------+     +--------+     +-------+    +-------+      |
|        |      |     |        |     |       |    | .2.51 |      |
|        +------+     +--------+     +-------+    +-------+      |
|        | eth0 |<--->|   br0  |<--->| vmg0  |    | vmg1  |      |
|        +------+     +--------+     +-------+    +-------+      |
|            ↑                           ↑            ↑          |
|            |                           |            |          |
|            |                           +------------+          |
|            |                                                   |
+------------|---------------------------------------------------+
             ↓
     Physical Network

如果有 docker 的话，下面三个内核参数应该是开的，目的是让桥出去的包会被 iptables 处理，docker 会添加 iptables 来做 masq nat。如果你是纯桥接用，网上的文章都会建议你把这设置成 0，意味着包出去不被 iptables 过滤。如果开了下面的 bridge-nf-call，建议在 iptables 上放行桥的接口包

$ sysctl -a |& grep bridge-nf-call
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

# 放行桥的接口的流量，开启转发
iptables -I INPUT -i br0 -j ACCEPT
sysctl -w net.ipv4.ip_forward=1

需要配置成混杂模式的话