看了不少网上的资料都说 OK
然而我自己的实验却是 DNAT 无法联通
现在怀疑是 libvirtd 自动生成的 MASQUERADE 规则的影响
因为所有 to x.x.x.x 和 to127.0.0.1 的 DNAT 都是可以的
nat 表现在是长成这样
[[email protected] ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PREROUTING_direct all -- anywhere anywhere
PREROUTING_ZONES_SOURCE all -- anywhere anywhere
PREROUTING_ZONES all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all -- 192.168.122.0/24 base-address.mcast.net/24
RETURN all -- 192.168.122.0/24 255.255.255.255
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
POSTROUTING_direct all -- anywhere anywhere
POSTROUTING_ZONES_SOURCE all -- anywhere anywhere
POSTROUTING_ZONES all -- anywhere anywhere

Chain OUTPUT_direct (1 references)
target prot opt source destination

Chain POSTROUTING_ZONES (1 references)
target prot opt source destination
POST_public all -- anywhere anywhere [goto]
POST_public all -- anywhere anywhere [goto]
POST_public all -- anywhere anywhere [goto]

Chain POSTROUTING_ZONES_SOURCE (1 references)
target prot opt source destination

Chain POSTROUTING_direct (1 references)
target prot opt source destination
SNAT all -- 192.168.122.0/24 anywhere to:x.x.x.x

Chain POST_public (3 references)
target prot opt source destination
POST_public_log all -- anywhere anywhere
POST_public_deny all -- anywhere anywhere
POST_public_allow all -- anywhere anywhere

Chain POST_public_allow (1 references)
target prot opt source destination

Chain POST_public_deny (1 references)
target prot opt source destination

Chain POST_public_log (1 references)
target prot opt source destination

Chain PREROUTING_ZONES (1 references)
target prot opt source destination
PRE_public all -- anywhere anywhere [goto]
PRE_public all -- anywhere anywhere [goto]
PRE_public all -- anywhere anywhere [goto]

Chain PREROUTING_ZONES_SOURCE (1 references)
target prot opt source destination

Chain PREROUTING_direct (1 references)
target prot opt source destination
DNAT tcp -- anywhere x.x.x.x tcp dpt:9722 to:x.x.x.x:9922
DNAT tcp -- anywhere x.x.x.x tcp dpt:9822 to:192.168.122.100:22
DNAT tcp -- anywhere x.x.x.x tcp dpt:http to:192.168.122.100:80
DNAT tcp -- anywhere x.x.x.x tcp dpt:9622 to:192.168.122.4:22

Chain PRE_public (3 references)
target prot opt source destination
PRE_public_log all -- anywhere anywhere
PRE_public_deny all -- anywhere anywhere
PRE_public_allow all -- anywhere anywhere

Chain PRE_public_allow (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere mark match 0x64 to::9922

Chain PRE_public_deny (1 references)
target prot opt source destination

Chain PRE_public_log (1 references)
target prot opt source destination
好吧，终于搞清楚了
网上那些资料都过时了，libvirtd 现在喜欢强行插入，把 firewalld 的规则挤到了后面，呵呵……
吐槽 1: 都是作为 RedHat 的主打产品，你这俩程序就不能协调一下，非要-I 强行插入？
吐槽 2: virbir0 的配置能不能给个开关，至少给我们个 DMZ 模式用啊（或者已经有了我不知道）
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
11 2013 ACCEPT all -- * * 0.0.0.0/0 192.168.122.0/24
8 1981 ACCEPT all -- * * 192.168.122.0/24 0.0.0.0/0
15339 47M ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
21126 1360K ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
56 2924 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

我是直接桥接，iptables 都关了

可以关阿 有个 xml 删了就行了