差分

このページの2つのバージョン間の差分を表示します。

--- linux:commands:network:network_manager_bridge [2023/03/15 06:03] – [☢️古い資料です☢️] ともやん
+++ linux:commands:network:network_manager_bridge [2024/02/04 03:05] (現在) – [トラブルシューティング] ともやん
@@ 行 152: / 行 152: @@
 <WRAP color_command><html><pre>
 <b class=GRN>$</b> <b class=HIY>sudo</b> nmcli connection delete eno1;reboot
+</pre></html></WRAP>
+</WRAP>
+===== トラブルシューティング =====
+Fedora 39 で KVM ゲストから Bridge (br0 など) で外部に通信できない場合😥\\
+[[https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/5/html/virtualization/sect-virtualization-network_configuration-bridged_networking_with_libvirt#doc-wrapper|12.2. libvirt を使用したブリッジネットワーキング Red Hat Enterprise Linux 5 | Red Hat Customer Portal]]\\
+<WRAP color_term>
+<WRAP color_command><html><pre>
+<font color="#FF8700"><b>$</b></font> <font color="#4E9A06">sysctl</font> net.bridge
+</pre></html></WRAP>
+<WRAP color_result><html><pre>
+<b class=DiYE>net.bridge.bridge-nf-call-arptables = 1
+net.bridge.bridge-nf-call-ip6tables = 1
+net.bridge.bridge-nf-call-iptables = 1</b>
+net.bridge.bridge-nf-filter-pppoe-tagged = 0
+net.bridge.bridge-nf-filter-vlan-tagged = 0
+net.bridge.bridge-nf-pass-vlan-input-dev = 0
+</pre></html></WRAP>
+</WRAP>
+iptables を設定して、全てのトラフィックがブリッジを渡って転送されるようにします🤔\\
+<WRAP color_term>
+<WRAP color_command><html><pre>
+<font color="#FF8700"><b>$</b></font> <font color="#4E9A06"><u style="text-decoration-style:single">sudo</u></font> <font color="#4E9A06">firewall-cmd</font> <font color="#75507B">--permanent</font> <font color="#75507B">--direct</font> <font color="#75507B">--add-rule</font> ipv4 filter FORWARD 1 <font color="#75507B">-m</font> physdev <font color="#75507B">--physdev-is-bridged</font> <font color="#75507B">-j</font> ACCEPT
+</pre></html></WRAP>
+<WRAP color_result><html><pre>
+success
+</pre></html></WRAP>
+<WRAP color_command><html><pre>
+<font color="#FF8700"><b>$</b></font> <font color="#4E9A06"><u style="text-decoration-style:single">sudo</u></font> <font color="#4E9A06">firewall-cmd</font> <font color="#75507B">--reload</font>
+</pre></html></WRAP>
+<WRAP color_result><html><pre>
+success
+</pre></html></WRAP>
+</WRAP>
+<WRAP round tip 90%>
+ルールを削除する場合\\
+<WRAP color_term>
+<WRAP color_command><html><pre>
+<font color="#FF8700"><b>$</b></font> <font color="#4E9A06"><u style="text-decoration-style:single">sudo</u></font> <font color="#4E9A06">firewall-cmd</font> <font color="#75507B">--permanent</font> <font color="#75507B">--direct</font> <font color="#75507B">--remove-rule</font> ipv4 filter FORWARD 1 <font color="#75507B">-m</font> physdev <font color="#75507B">--physdev-is-bridged</font> <font color="#75507B">-j</font> ACCEPT
+</pre></html></WRAP>
+<WRAP color_result><html><pre>
+</pre></html></WRAP>
+</WRAP>
+</WRAP>
+設定結果の確認🤔\\
+<WRAP color_term>
+<WRAP color_command><html><pre>
+<font color="#FF8700"><b>$</b></font> <font color="#4E9A06"><u style="text-decoration-style:single">sudo</u></font> <font color="#4E9A06">cat</font> /etc/firewalld/direct.xml
+</pre></html></WRAP>
+<WRAP color_result><html><pre>
+&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;
+<b class=DiYE>&lt;direct&gt;
+  &lt;rule ipv=&quot;ipv4&quot; table=&quot;filter&quot; chain=&quot;FORWARD&quot; priority=&quot;1&quot;&gt;-m physdev --physdev-is-bridged -j ACCEPT&lt;/rule&gt;
+&lt;/direct&gt;</b>
+</pre></html></WRAP>
+</WRAP>
+<WRAP color_term>
+<WRAP color_command><html><pre>
+<font color="#FF8700"><b>$</b></font> <font color="#4E9A06"><u style="text-decoration-style:single">sudo</u></font> <font color="#4E9A06">iptables-save</font>
+</pre></html></WRAP>
+<WRAP color_result_long><html><pre>
+# Generated by iptables-save v1.8.9 (nf_tables) on Sun Feb  4 02:07:04 2024
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:LIBVIRT_PRT - [0:0]
+-A POSTROUTING -j LIBVIRT_PRT
+-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+COMMIT
+# Completed on Sun Feb  4 02:07:04 2024
+# Generated by iptables-save v1.8.9 (nf_tables) on Sun Feb  4 02:07:04 2024
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:DOCKER - [0:0]
+:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-ISOLATION-STAGE-2 - [0:0]
+:DOCKER-USER - [0:0]
+:LIBVIRT_FWI - [0:0]
+:LIBVIRT_FWO - [0:0]
+:LIBVIRT_FWX - [0:0]
+:LIBVIRT_INP - [0:0]
+:LIBVIRT_OUT - [0:0]
+-A INPUT -j LIBVIRT_INP
+-A FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A FORWARD -j DOCKER-USER
+-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -o docker0 -j DOCKER
+-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+-A FORWARD -i docker0 -o docker0 -j ACCEPT
+-A FORWARD -j LIBVIRT_FWX
+-A FORWARD -j LIBVIRT_FWI
+-A FORWARD -j LIBVIRT_FWO
+<b class=DiYE>-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT</b>
+-A OUTPUT -j LIBVIRT_OUT
+-A DOCKER-ISOLATION-STAGE-1 -j RETURN
+-A DOCKER-ISOLATION-STAGE-2 -j RETURN
+-A DOCKER-USER -j RETURN
+-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
+-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
+-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
+-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
+-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
+-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
+COMMIT
+# Completed on Sun Feb  4 02:07:04 2024
+# Generated by iptables-save v1.8.9 (nf_tables) on Sun Feb  4 02:07:04 2024
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:DOCKER - [0:0]
+:LIBVIRT_PRT - [0:0]
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
+-A POSTROUTING -j LIBVIRT_PRT
+-A DOCKER -i docker0 -j RETURN
+-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
+-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
+-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
+-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
+-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
+COMMIT
+# Completed on Sun Feb  4 02:07:04 2024
+</pre></html></WRAP>
+</WRAP>
+ゲストで疎通確認😎\\
+<WRAP color_term>
+<WRAP color_command><html><pre>
+$ ping google.com
+</pre></html></WRAP>
+<WRAP color_result><html><pre>
+PING google.com (142.251.222.46) 56(84) バイトのデータ
+バイト応答 送信元 nrt13s72-in-f14.1e100.net (142.251.222.46): icmp_seq=1 ttl=55 時間=42.6ミリ秒
+バイト応答 送信元 nrt13s72-in-f14.1e100.net (142.251.222.46): icmp_seq=2 ttl=55 時間=47.8ミリ秒
+バイト応答 送信元 nrt13s72-in-f14.1e100.net (142.251.222.46): icmp_seq=3 ttl=55 時間=74.5ミリ秒
+バイト応答 送信元 nrt13s72-in-f14.1e100.net (142.251.222.46): icmp_seq=4 ttl=55 時間=46.7ミリ秒
+^C
+</pre></html></WRAP>
+</WRAP>
+ちなみに、<html><code>/etc/sysctl.conf</code></html>で設定しても再起動すると反映されない😅\\
+なので Fedora 39 ではブリッジの転送許可を firewall-cmd で設定するしかない😉\\
+<WRAP color_term>
+<WRAP color_command><html><pre>
+<font color="#FF8700"><b>$</b></font> <font color="#4E9A06">cat</font> <u style="text-decoration-style:single">/etc/sysctl.conf</u>
+</pre></html></WRAP>
+<WRAP color_result><html><pre>
+# sysctl settings are defined through files in
+# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
+#
+# Vendors settings live in /usr/lib/sysctl.d/.
+# To override a whole file, create a new file with the same in
+# /etc/sysctl.d/ and put new settings there. To override
+# only specific settings, add a file with a lexically later
+# name in /etc/sysctl.d/ and put new settings there.
+#
+# For more information, see sysctl.conf(5) and sysctl.d(5).
+net.bridge.bridge-nf-call-ip6tables = 0
+net.bridge.bridge-nf-call-iptables = 0
+net.bridge.bridge-nf-call-arptables = 0
+</pre></html></WRAP>
+<WRAP color_command><html><pre>
+<font color="#FF8700"><b>$</b></font> <font color="#4E9A06">ll</font> <u style="text-decoration-style:single">/etc/</u><font color="#999999"><u style="text-decoration-style:single">sysctl.d/</u></font>
+</pre></html></WRAP>
+<WRAP color_result><html><pre>
+合計 4
+lrwxrwxrwx. 1 root root 14  1月 22 09:00 <font color="#06989A"><b>99-sysctl.conf</b></font> -&gt; ../sysctl.conf
+</pre></html></WRAP>
+<WRAP color_command><html><pre>
+<font color="#FF8700"><b>$</b></font> <font color="#4E9A06">sysctl</font> net.bridge
+</pre></html></WRAP>
+<WRAP color_result><html><pre>
+net.bridge.bridge-nf-call-arptables = 1
+net.bridge.bridge-nf-call-ip6tables = 1
+net.bridge.bridge-nf-call-iptables = 1
+net.bridge.bridge-nf-filter-pppoe-tagged = 0
+net.bridge.bridge-nf-filter-vlan-tagged = 0
+net.bridge.bridge-nf-pass-vlan-input-dev = 0
 </pre></html></WRAP>
 </WRAP>
@@ 行 159: / 行 355: @@
 [[http://enakai00.hatenablog.com/entry/20141121/1416551748| nmcliで仮想ブリッジ作成 - めもめも]]\\
 [[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Network_Bridging_Using_the_NetworkManager_Command_Line_Tool_nmcli.html| 6.2. USING THE NETWORKMANAGER COMMAND LINE TOOL, NMCLI]]\\
+==== 付録 ====
+[[tw>tomoyan596sp/status/1753832605815087279|Fedora 39にしたらKVMのブリッジ接続で、ゲストOSから外部アクセスできなくなったのは、ブリッジがフィルタリングされているから...🤔 Fedora 38まではフィルタリングの転送許可したことないけど😅]]\\
 ====== ☢️古い資料です (Obsolete)☢️ ======