Nat

ipfilter:是否可以在每個區域上重定向 ssh?

  • November 1, 2019

我有一個用於測試的伺服器,我在上面安裝了 OmniOS,因為可以模擬 linux(lx 品牌區域)和 Solaris(與 kvm-qemu 完美配合)。我可以在 192.168.0.0/24 網路上執行所有內容,但我更喜歡這樣做:具有 2 個 nic 的伺服器:bge0 和 bge1,bge0 具有 192.168.0.30 ip,bge1 具有 10.2.0.1。vm(zones 和 kvm-qemu)在 10.2.0.1 網路上執行。所以我用 ipfilter 做了一個這樣的防火牆

ipf.conf

# block and quick everything by default but pass on lo0
block in log on bge0 all
pass in quick on bge1 all
pass in quick on lo0 all

# These rules will allow connections initiated from
# this host along with the return connection
pass out quick proto icmp all keep state
pass out quick proto tcp all keep state
pass out quick proto udp all keep state

# Allow SecureShell incoming connections on 22 port 
pass in quick proto tcp from any to any port = 22 flags S keep state keep frags

ipnat.conf
map bge0 10.2.0.0/24 -> 0/32 portmap tcp/udp auto
map bge0 10.2.0.0/24 -> 0/32
rdr bge0 10.2.0.0/24 -> 10.2.0.3

一個 lx 區域(10.2.0.3)完美執行。我可以通過 ssh 從 192.168.0.0/24 網路客戶端訪問它。我的問題是..如果我想要兩台或更多台機器,是否可以將 ssh 重定向到不同的機器?

例如

machine1-------->ssh------->lxzone1
machine1-------->ssh------->lxzone2

哪個規則?謝謝

ps 對於使用 pf 而不是 ipfilter(removed) 的 solaris11.4,所有這些都適用於這個簡單的 pf.conf

# Vars
ext_if="net0"
int_if="net1"
ext_net="192.168.0.0/24"
int_net="10.2.0.0/24"
webports="{443, 80}"

##  make IP reassembly work
set reassemble yes no-df

## ignore loopback traffic
set skip on lo0

# block everything unless told otherwise
# and send TCP-RST/ICMP unreachable
# for every packet which gets blocked
block return in log all
pass out all

# Pass
pass in on $int_if proto tcp from $ext_net to any keep state
pass in on $int_if proto udp from $ext_net to any keep state
pass in on $int_if proto tcp from $int_net to any keep state
pass in on $int_if proto udp from $int_net to any keep state

# accept incoming SSH connections
pass in proto tcp from any to $ext_if port 22

# accept icmp
pass in proto icmp all

## allow all connections initiated from this system,
## including DHCP requests
pass out

#nat
pass out on net0 from $int_net to any nat-to (net0)

一種有效的解決方法。在這種情況下,我可以訪問 dns 伺服器,並可以通過 ssh 連接到 ip 為 10.2.0.2 ,10.2.0.3, 10.2.0.4 …

cat ipnat.conf

map bge0 10.2.0.0/24 -> 0/32 portmap tcp/udp auto
map bge0 10.2.0.0/24 -> 0/32
rdr bge0 from any to 10.2.0.3/32 port = 22 -> 10.2.0.3 port 22 tcp
rdr bge0 from any to 10.2.0.2/32 port = 22 -> 10.2.0.2 port 22 tcp
rdr bge0 from any to 10.2.0.2/32 port = 53 -> 10.2.0.2 port 53 tcp
rdr bge0 from any to 10.2.0.2/32 port = 53 -> 10.2.0.2 port 53 udp
rdr bge0 from any to 10.2.0.4/32 port = 22 -> 10.2.0.4 port 22 tcp
rdr bge0 from any to 10.2.0.5/32 port = 22 -> 10.2.0.5 port 22 tcp
rdr bge0 from any to 10.2.0.6/32 port = 22 -> 10.2.0.6 port 22 tcp

引用自:https://serverfault.com/questions/906617