我有一台 FreeBSD 9.0 服务器。它有几个 jail,但它们都有同样的问题。它们无法发起与外界的连接。它们彼此之间以及与主机之间都可以正常通信。
相关rc.conf
设置:
firewall_enable="YES" # IPFW
firewall_type="/etc/ipfw.rules" # Rule script for IPFW
natd_enable="YES" # NAT for Internet Routing
natd_interface="wan0" # NAT Card
natd_flags="-f /etc/natd.conf -dynamic" # NAT Conf
ifconfig_lo1_name="jail1"
ifconfig_jail1="inet 192.168.1.101/32"
jail_asdf_rootdir="/jails/asdf"
jail_asdf_hostname="asdf.example.net"
jail_asdf_ip="192.168.1.101"
jail_asdf_devfs_enable="YES"
从sysctl.conf
security.jail.allow_raw_sockets=1
从ipfw.rules
# XXX 00050 divert natd ip4 from any to any via wan0
add 00060 check-state
# Allow me out
add 00135 allow ip from me to any keep-state
add 00136 allow ip6 from me6 to any keep-state
# HTTP
add 11010 allow tcp from any to me http setup keep-state
add 11011 allow tcp from any to me6 http setup keep-state
add 11012 allow tcp from any to me https setup keep-state
add 11013 allow tcp from any to me6 https setup keep-state
.... lots more rules like the above ....
# General Network - ICMP
add 61001 allow icmp from any to any
# XXX last rule is deny everything
从natd.conf
redirect_port tcp 192.168.1.101:80 80
redirect_port tcp 192.168.1.101:443 443
这对于传入连接非常有用。我已经在多台计算机上进行了测试,可以正常访问该网站。
当我jexec 1 csh
在监狱中获取 shell 时,我无法创建传出连接。监狱resolv.conf
指向主机服务器,并且它执行名称解析良好。由于 ICMP 仍然无例外地通过,我可以从监狱 ping 出。
我可以在主机上执行操作tcpdump -i wan0 host 1.2.3.4
并观察流量通过的情况。我看到 SYN 发出,然后 SYN ACK 返回。几秒钟后,Jail 再次重试,情况又一样。
我如何允许从我的监狱发出连接?
更新:
我想我明白了这个问题。传出的数据包开始通过防火墙规则,进行 NAT 转换,允许传出并记录为外部 IP,从而建立传出连接。当返回的数据包返回时,它会经过转换,但现在不符合检查状态规则,因为数据包具有内部 IP。仍在寻找解决方案。
答案1
从这个问题来看,解决方案应该是显而易见的,即地址转换总是在检查状态规则之前发生。地址转换需要拆分。
上面找到的规则的更正版本是:
add 00050 divert natd ip4 from any to any via wan0 in
add 00060 check-state
# Talking to myself
add 00200 allow ip from me to me keep-state
# HTTP
add 11010 skipto 63000 tcp from any to me http,https setup keep-state
add 11011 skipto 63000 tcp from any to me6 http,https setup keep-state
# General Network - ICMP
add 61001 allow icmp from any to any
# Last rule of "normal" traffic
add 62000 deny ip from any to any
# Only for my outbound and specifically allowed incoming
add 63000 divert natd ip from any to any via wan0 out
add 63001 allow ip from any to any
# XXX last rule is deny everything