【原创】kvm虚拟机中无法进行dns域名解析的问题
环境:物理机:CentOS 5.6 x86_64 + KVM
虚拟机:CentOS 5.6 x86_64, Windows 2003 server
问题:
[*]在物理机上可以使用域名访问网网站,在虚拟机中却无法使用域名访问网站,但可以通过ip访问网站。
[*]关闭物理机的防火墙(iptables)后,虚拟机可以使用域名访问网站
分析:
应该是物理机防火墙(iptables)配置的问题
解决:
物理机防火墙对虚拟机的域名解析有影响。
域名解析使用53号端口,因此查看物理机的53号端口:
http://onexin.iyunv.com/source/plugin/onexin_bigdata/file:///C:/Users/Administrator/AppData/Local/Temp/Wiz/30a11dbb-034d-4338-9b1f-bd6bed48b555_0_files/20160461.png
# netstat -ano |grep 53
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 211.98.99.249:5904 61.237.253.2:10455 ESTABLISHED off (0.00/0/0)
tcp 0 0 211.98.99.249:445 61.237.253.2:35742 ESTABLISHED keepalive (3697.76/0/0)
tcp 0 52 211.98.99.249:22 61.237.253.2:41058 ESTABLISHED on (0.41/0/0)
tcp 0 0 211.98.99.249:5904 61.237.253.2:61023 ESTABLISHED off (0.00/0/0)
tcp 0 0 211.98.99.249:5903 61.237.253.2:32072 ESTABLISHED off (0.00/0/0)
tcp 0 0 211.98.99.249:5902 61.237.253.2:16918 ESTABLISHED off (0.00/0/0)
tcp 0 0 211.98.99.249:445 61.237.253.2:34823 ESTABLISHED keepalive (4749.99/0/0)
udp 0 0 192.168.122.1:53 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:5353 0.0.0.0:* off (0.00/0/0)
192.168.122.1上开了53号端口,原来kvm在virbr0上开了域名解析服务。
192.168.122.1是虚拟网桥virbr0的ip
# ifconfig virbr0
virbr0 Link encap:EthernetHWaddr 00:00:00:00:00:00
inet addr:192.168.122.1Bcast:192.168.122.255Mask:255.255.255.0
UP BROADCAST RUNNING MULTICASTMTU:1500Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2086 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b)TX bytes:548897 (536.0 KiB)
解决:
修改物理机iptables配置,把53号端口加入防火墙
# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:RH-Firewall-1-INPUT -
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
上述修改完成后,使用service iptables restart重启防火墙
页:
[1]