无法从 FreeBSD 12 jail 访问互联网或 ping 默认网关

无法从 FreeBSD 12 jail 访问互联网或 ping 默认网关

我是 FreeBSD jail 的新手,一切(比如从网络中的任何主机 ssh 到 jail)都运行正常,但我无法从 FreeBSD 12 jail 访问互联网或 ping 默认网关,请帮我解决这个问题

更新:我可以通过启用 IPv6 来解决这个问题,并且我可以从 jail 访问任何启用 IPv6 的主机

我的设置如下

  • 运行 Ubuntu 16.04.4/Kernel 4.15.0-29-generic(172.20.0.2)的笔记本电脑通过 wlan0 连接到 4G 路由器(172.20.0.1)

  • 系统上安装了 VirtualBox ver 5.2.16 r123759

  • FreeBSD 12 在 VirtualBox 上运行,并通过桥接适配器连接到 wlan0
  • 在 FreeBSD 12 上运行的 Jail

图表:

+-------------------------------+
|   E5172Bs-925 4G router       |
|                               |
+-------------------------------+
              |172.20.0.1
              |
              |
              |
              |
              |
 wlan0        |172.20.0.2 gw: 172.20.0.1      Ubuntu 16.04.4/ Kernel 4.15.0-29-generic
+---------------------------------------------------------------+
|             |                                                 |
|             |                                                 |
|             |                                                 |
| FreeBSD 12  |172.20.0.41 (Attached to Bridged adapter)        |
| +-----------+gw: 172.20.0.1---+---------------+               |
| |                             |               |               |
| |                             |               |               |
| |                             |               |               |
| | +---------------------------+--------+      |               |
| | | jail : 172.20.0.110                |      |               |
| | | gw: 172.20.0.1                     |      |               |
| | |                                    |      |               |
| | |                                    |      |               |
| | |                                    |      |               |
| | |                                    |      |               |
| | +------------------------------------+      |               |
| |                                             |               |
| +---------------------------------------------+               |
+---------------------------------------------------------------+

我的 jail.conf 文件(来自 /usr/share/examples/jails/jail.xxx.conf)

rsnapshot {
    host.hostname = "rsnapshot";    # hostname
    path = "/jails/rsnapshot";              # root directory

    exec.clean;
    exec.system_user = "root";
    exec.jail_user = "root";

    #
    # NB: Below 4-lines required
    #
    vnet;
    # netgraph
    #vnet.interface = "ng0_rsnapshot";               # vnet interface(s)
    #exec.prestart += "jng bridge rsnapshot em0";    # bridge interface(s)
    #exec.poststop += "jng shutdown rsnapshot";      # destroy interface(s)
    # if_bridge
    vnet.interface = "e0b_rsnapshot";              # vnet interface(s)
    exec.prestart += "jib addm rsnapshot em0";     # bridge interface(s)
    exec.poststop += "jib destroy rsnapshot";      # destroy interface(s)

    # Standard recipe
    exec.start += "/bin/sh /etc/rc";
    exec.stop = "/bin/sh /etc/rc.shutdown";
    exec.consolelog = "/var/log/jail_rsnapshot_console.log";
    mount.devfs;    # mount devfs

    # Optional (default off)
    #devfs_ruleset = "11";          # rule to unhide bpf for DHCP
    #allow.mount;                   # mount /etc/fstab.rsnapshot
    #allow.set_hostname = 1;        # Allow hostname to change
    #allow.sysvipc = 1;             # Allow SysV Interprocess Comm.

}

主机 ifconfig

    em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=810099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
    ether 08:00:27:9b:b8:c4
    inet 172.20.0.41 netmask 0xffffff00 broadcast 172.20.0.255 
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
    inet 127.0.0.1 netmask 0xff000000 
    groups: lo 
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
em0bridge: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:d7:f0:96:d8:00
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: e0a_rsnapshot flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 4 priority 128 path cost 2000
    member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 1 priority 128 path cost 20000
    groups: bridge 
    nd6 options=1<PERFORMNUD>
e0a_rsnapshot: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:f8:e0:9b:b8:c4
    hwaddr 02:70:c5:28:c6:0a
    groups: epair 
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

jail 的 ifconfig

    lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
    inet 127.0.0.1 netmask 0xff000000 
    groups: lo 
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
e0b_rsnapshot: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 0e:f8:e0:9b:b8:c4
    hwaddr 02:70:c5:28:c6:0b
    inet 172.20.0.110 netmask 0xffffff00 broadcast 172.20.0.255 
    groups: epair 
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

我可以从 jail 中 ping 到我网络中的任何主机,但不能从 default getaway 或 outside ping 到

我的笔记本电脑 wlan0 的 tcpdump 显示如下,我可以看到 ICMP 回显请求,但没有回复

    11:03:40.748008 IP (tos 0x0, ttl 64, id 52840, offset 0, flags [none], proto ICMP (1), length 84)
    172.20.0.110 > 172.20.0.1: ICMP echo request, id 45323, seq 0, length 64
11:03:40.775639 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.20.0.110 tell 172.20.0.1, length 28
11:03:40.776034 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.20.0.110 is-at 0e:f8:e0:9b:b8:c4, length 28

如果我从监狱 ping 我的笔记本电脑,它会显示

 11:31:15.625571 IP (tos 0x0, ttl 64, id 52842, offset 0, flags [none], proto ICMP (1), length 84)
    172.20.0.110 > 172.20.0.2: ICMP echo request, id 6668, seq 0, length 64
11:31:15.625629 IP (tos 0x0, ttl 64, id 2336, offset 0, flags [none], proto ICMP (1), length 84)
    172.20.0.2 > 172.20.0.110: ICMP echo reply, id 6668, seq 0, length 64

netstat -rn 在监狱里

root@freebsdjail1:/ # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            172.20.0.1         UGS    e0b_rsna
127.0.0.1          link#1             UH          lo0
172.20.0.0/24      link#2             U      e0b_rsna
172.20.0.110       link#2             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#1                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#1                        U           lo0
fe80::1%lo0                       link#1                        UHS         lo0
ff02::/16                         ::1                           UGRS        lo0

答案1

默认情况下,FreeBSD 不会跨接口转发数据包。您可以通过设置一个值来告诉它您希望转发数据包sysctl

sysctl net.inet.ip.forwarding=1

如果这解决了您的问题,请通过以下方式永久启用它:

echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf

或者

sysrc gateway_enable=1

任何一个命令都将确保在下次重启时启用 IPv4 转发。

相关内容