我是 FreeBSD jail 的新手,一切(比如从网络中的任何主机 ssh 到 jail)都运行正常,但我无法从 FreeBSD 12 jail 访问互联网或 ping 默认网关,请帮我解决这个问题
更新:我可以通过启用 IPv6 来解决这个问题,并且我可以从 jail 访问任何启用 IPv6 的主机
我的设置如下
运行 Ubuntu 16.04.4/Kernel 4.15.0-29-generic(172.20.0.2)的笔记本电脑通过 wlan0 连接到 4G 路由器(172.20.0.1)
系统上安装了 VirtualBox ver 5.2.16 r123759
- FreeBSD 12 在 VirtualBox 上运行,并通过桥接适配器连接到 wlan0
- 在 FreeBSD 12 上运行的 Jail
图表:
+-------------------------------+
| E5172Bs-925 4G router |
| |
+-------------------------------+
|172.20.0.1
|
|
|
|
|
wlan0 |172.20.0.2 gw: 172.20.0.1 Ubuntu 16.04.4/ Kernel 4.15.0-29-generic
+---------------------------------------------------------------+
| | |
| | |
| | |
| FreeBSD 12 |172.20.0.41 (Attached to Bridged adapter) |
| +-----------+gw: 172.20.0.1---+---------------+ |
| | | | |
| | | | |
| | | | |
| | +---------------------------+--------+ | |
| | | jail : 172.20.0.110 | | |
| | | gw: 172.20.0.1 | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | +------------------------------------+ | |
| | | |
| +---------------------------------------------+ |
+---------------------------------------------------------------+
我的 jail.conf 文件(来自 /usr/share/examples/jails/jail.xxx.conf)
rsnapshot {
host.hostname = "rsnapshot"; # hostname
path = "/jails/rsnapshot"; # root directory
exec.clean;
exec.system_user = "root";
exec.jail_user = "root";
#
# NB: Below 4-lines required
#
vnet;
# netgraph
#vnet.interface = "ng0_rsnapshot"; # vnet interface(s)
#exec.prestart += "jng bridge rsnapshot em0"; # bridge interface(s)
#exec.poststop += "jng shutdown rsnapshot"; # destroy interface(s)
# if_bridge
vnet.interface = "e0b_rsnapshot"; # vnet interface(s)
exec.prestart += "jib addm rsnapshot em0"; # bridge interface(s)
exec.poststop += "jib destroy rsnapshot"; # destroy interface(s)
# Standard recipe
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_rsnapshot_console.log";
mount.devfs; # mount devfs
# Optional (default off)
#devfs_ruleset = "11"; # rule to unhide bpf for DHCP
#allow.mount; # mount /etc/fstab.rsnapshot
#allow.set_hostname = 1; # Allow hostname to change
#allow.sysvipc = 1; # Allow SysV Interprocess Comm.
}
主机 ifconfig
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=810099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
ether 08:00:27:9b:b8:c4
inet 172.20.0.41 netmask 0xffffff00 broadcast 172.20.0.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
em0bridge: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:d7:f0:96:d8:00
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: e0a_rsnapshot flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 4 priority 128 path cost 2000
member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 1 priority 128 path cost 20000
groups: bridge
nd6 options=1<PERFORMNUD>
e0a_rsnapshot: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:f8:e0:9b:b8:c4
hwaddr 02:70:c5:28:c6:0a
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
jail 的 ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
e0b_rsnapshot: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 0e:f8:e0:9b:b8:c4
hwaddr 02:70:c5:28:c6:0b
inet 172.20.0.110 netmask 0xffffff00 broadcast 172.20.0.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
我可以从 jail 中 ping 到我网络中的任何主机,但不能从 default getaway 或 outside ping 到
我的笔记本电脑 wlan0 的 tcpdump 显示如下,我可以看到 ICMP 回显请求,但没有回复
11:03:40.748008 IP (tos 0x0, ttl 64, id 52840, offset 0, flags [none], proto ICMP (1), length 84)
172.20.0.110 > 172.20.0.1: ICMP echo request, id 45323, seq 0, length 64
11:03:40.775639 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.20.0.110 tell 172.20.0.1, length 28
11:03:40.776034 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.20.0.110 is-at 0e:f8:e0:9b:b8:c4, length 28
如果我从监狱 ping 我的笔记本电脑,它会显示
11:31:15.625571 IP (tos 0x0, ttl 64, id 52842, offset 0, flags [none], proto ICMP (1), length 84)
172.20.0.110 > 172.20.0.2: ICMP echo request, id 6668, seq 0, length 64
11:31:15.625629 IP (tos 0x0, ttl 64, id 2336, offset 0, flags [none], proto ICMP (1), length 84)
172.20.0.2 > 172.20.0.110: ICMP echo reply, id 6668, seq 0, length 64
netstat -rn 在监狱里
root@freebsdjail1:/ # netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 172.20.0.1 UGS e0b_rsna
127.0.0.1 link#1 UH lo0
172.20.0.0/24 link#2 U e0b_rsna
172.20.0.110 link#2 UHS lo0
Internet6:
Destination Gateway Flags Netif Expire
::/96 ::1 UGRS lo0
::1 link#1 UH lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
fe80::/10 ::1 UGRS lo0
fe80::%lo0/64 link#1 U lo0
fe80::1%lo0 link#1 UHS lo0
ff02::/16 ::1 UGRS lo0
答案1
默认情况下,FreeBSD 不会跨接口转发数据包。您可以通过设置一个值来告诉它您希望转发数据包sysctl:
sysctl net.inet.ip.forwarding=1
如果这解决了您的问题,请通过以下方式永久启用它:
echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf
或者
sysrc gateway_enable=1
任何一个命令都将确保在下次重启时启用 IPv4 转发。