Jail
帶有環回 IP、IPFW 和 natd 的 FreeBSD 監獄 - 出站連接從監獄失敗
我有一個 FreeBSD 9.0 伺服器。它有幾個監獄,但他們都有同樣的問題。他們無法啟動與外界的連接。他們相互溝通,主人很好。
相關
rc.conf
設置:firewall_enable="YES" # IPFW firewall_type="/etc/ipfw.rules" # Rule script for IPFW natd_enable="YES" # NAT for Internet Routing natd_interface="wan0" # NAT Card natd_flags="-f /etc/natd.conf -dynamic" # NAT Conf ifconfig_lo1_name="jail1" ifconfig_jail1="inet 192.168.1.101/32" jail_asdf_rootdir="/jails/asdf" jail_asdf_hostname="asdf.example.net" jail_asdf_ip="192.168.1.101" jail_asdf_devfs_enable="YES"
從
sysctl.conf
security.jail.allow_raw_sockets=1
從
ipfw.rules
# XXX 00050 divert natd ip4 from any to any via wan0 add 00060 check-state # Allow me out add 00135 allow ip from me to any keep-state add 00136 allow ip6 from me6 to any keep-state # HTTP add 11010 allow tcp from any to me http setup keep-state add 11011 allow tcp from any to me6 http setup keep-state add 11012 allow tcp from any to me https setup keep-state add 11013 allow tcp from any to me6 https setup keep-state .... lots more rules like the above .... # General Network - ICMP add 61001 allow icmp from any to any # XXX last rule is deny everything
從
natd.conf
redirect_port tcp 192.168.1.101:80 80 redirect_port tcp 192.168.1.101:443 443
這對於傳入連接非常有用。我已經從多台電腦上測試過,我可以正常訪問該網站。
當我
jexec 1 csh
在監獄中獲得外殼時,我無法創建傳出連接。監獄resolv.conf
指向主機伺服器,它執行名稱解析很好。由於 ICMP 仍然毫無例外地通過,我可以從監獄 ping 通。我可以
tcpdump -i wan0 host 1.2.3.4
在主機上做一個並觀察流量。我看到 SYN 出去了,然後 SYN ACK 回來了。然後幾秒鐘後再次與監獄重試相同。如何允許從我的監獄傳出連接?
更新:
我相信我理解這個問題。傳出數據包從防火牆規則開始,經過 NAT 轉換、允許並記錄為建立傳出連接的外部 IP。當返回數據包返回時,它會進行轉換,但現在不匹配檢查狀態規則,因為數據包具有內部 IP。仍在尋找解決方案。
從地址轉換總是在檢查狀態規則之前發生的問題中,解決方案應該是顯而易見的。地址轉換需要拆分。
上面找到的規則的更正版本是:
add 00050 divert natd ip4 from any to any via wan0 in add 00060 check-state # Talking to myself add 00200 allow ip from me to me keep-state # HTTP add 11010 skipto 63000 tcp from any to me http,https setup keep-state add 11011 skipto 63000 tcp from any to me6 http,https setup keep-state # General Network - ICMP add 61001 allow icmp from any to any # Last rule of "normal" traffic add 62000 deny ip from any to any # Only for my outbound and specifically allowed incoming add 63000 divert natd ip from any to any via wan0 out add 63001 allow ip from any to any # XXX last rule is deny everything