Jail

帶有環回 IP、IPFW 和 natd 的 FreeBSD 監獄 - 出站連接從監獄失敗

  • March 15, 2013

我有一個 FreeBSD 9.0 伺服器。它有幾個監獄,但他們都有同樣的問題。他們無法啟動與外界的連接。他們相互溝通,主人很好。

相關rc.conf設置:

firewall_enable="YES"                   # IPFW
firewall_type="/etc/ipfw.rules"         # Rule script for IPFW

natd_enable="YES"                       # NAT for Internet Routing
natd_interface="wan0"                   # NAT Card
natd_flags="-f /etc/natd.conf -dynamic" # NAT Conf

ifconfig_lo1_name="jail1"
ifconfig_jail1="inet 192.168.1.101/32"

jail_asdf_rootdir="/jails/asdf"
jail_asdf_hostname="asdf.example.net"
jail_asdf_ip="192.168.1.101"
jail_asdf_devfs_enable="YES"

sysctl.conf

security.jail.allow_raw_sockets=1

ipfw.rules

# XXX 00050 divert natd ip4 from any to any via wan0
add 00060 check-state

# Allow me out
add 00135 allow ip from me to any keep-state
add 00136 allow ip6 from me6 to any keep-state

# HTTP
add 11010 allow tcp from any to me http setup keep-state
add 11011 allow tcp from any to me6 http setup keep-state
add 11012 allow tcp from any to me https setup keep-state
add 11013 allow tcp from any to me6 https setup keep-state
.... lots more rules like the above ....

# General Network - ICMP
add 61001 allow icmp from any to any

# XXX last rule is deny everything

natd.conf

redirect_port tcp 192.168.1.101:80 80
redirect_port tcp 192.168.1.101:443 443

這對於傳入連接非常有用。我已經從多台電腦上測試過,我可以正常訪問該網站。

當我jexec 1 csh在監獄中獲得外殼時,我無法創建傳出連接。監獄resolv.conf指向主機伺服器,它執行名稱解析很好。由於 ICMP 仍然毫無例外地通過,我可以從監獄 ping 通。

我可以tcpdump -i wan0 host 1.2.3.4在主機上做一個並觀察流量。我看到 SYN 出去了,然後 SYN ACK 回來了。然後幾秒鐘後再次與監獄重試相同。

如何允許從我的監獄傳出連接?

更新

我相信我理解這個問題。傳出數據包從防火牆規則開始,經過 NAT 轉換、允許並記錄為建立傳出連接的外部 IP。當返回數據包返回時,它會進行轉換,但現在不匹配檢查狀態規則,因為數據包具有內部 IP。仍在尋找解決方案。

從地址轉換總是在檢查狀態規則之前發生的問題中,解決方案應該是顯而易見的。地址轉換需要拆分。

上面找到的規則的更正版本是:

add 00050 divert natd ip4 from any to any via wan0 in
add 00060 check-state

# Talking to myself
add 00200 allow ip from me to me keep-state

# HTTP
add 11010 skipto 63000 tcp from any to me http,https setup keep-state
add 11011 skipto 63000 tcp from any to me6 http,https setup keep-state

# General Network - ICMP
add 61001 allow icmp from any to any

# Last rule of "normal" traffic
add 62000 deny ip from any to any

# Only for my outbound and specifically allowed incoming
add 63000 divert natd ip from any to any via wan0 out
add 63001 allow ip from any to any

# XXX last rule is deny everything

引用自:https://serverfault.com/questions/487649