带有 Loopback IP、IPFW 和 natd 的 FreeBSD Jail - 从 jail 出站连接失败

带有 Loopback IP、IPFW 和 natd 的 FreeBSD Jail - 从 jail 出站连接失败

我有一台 FreeBSD 9.0 服务器。它有几个 jail,但它们都有同样的问题。它们无法发起与外界的连接。它们彼此之间以及与主机之间都可以正常通信。

相关rc.conf设置:

firewall_enable="YES"                   # IPFW
firewall_type="/etc/ipfw.rules"         # Rule script for IPFW

natd_enable="YES"                       # NAT for Internet Routing
natd_interface="wan0"                   # NAT Card
natd_flags="-f /etc/natd.conf -dynamic" # NAT Conf

ifconfig_lo1_name="jail1"
ifconfig_jail1="inet 192.168.1.101/32"

jail_asdf_rootdir="/jails/asdf"
jail_asdf_hostname="asdf.example.net"
jail_asdf_ip="192.168.1.101"
jail_asdf_devfs_enable="YES"

sysctl.conf

security.jail.allow_raw_sockets=1

ipfw.rules

# XXX 00050 divert natd ip4 from any to any via wan0
add 00060 check-state

# Allow me out
add 00135 allow ip from me to any keep-state
add 00136 allow ip6 from me6 to any keep-state

# HTTP
add 11010 allow tcp from any to me http setup keep-state
add 11011 allow tcp from any to me6 http setup keep-state
add 11012 allow tcp from any to me https setup keep-state
add 11013 allow tcp from any to me6 https setup keep-state
.... lots more rules like the above ....

# General Network - ICMP
add 61001 allow icmp from any to any

# XXX last rule is deny everything

natd.conf

redirect_port tcp 192.168.1.101:80 80
redirect_port tcp 192.168.1.101:443 443

这对于传入连接非常有用。我已经在多台计算机上进行了测试,可以正常访问该网站。

当我jexec 1 csh在监狱中获取 shell 时,我无法创建传出连接。监狱resolv.conf指向主机服务器,并且它执行名称解析良好。由于 ICMP 仍然无例外地通过,我可以从监狱 ping 出。

我可以在主机上执行操作tcpdump -i wan0 host 1.2.3.4并观察流量通过的情况。我看到 SYN 发出,然后 SYN ACK 返回。几秒钟后,Jail 再次重试,情况又一样。

我如何允许从我的监狱发出连接?

更新
我想我明白了这个问题。传出的数据包开始通过防火墙规则,进行 NAT 转换,允许传出并记录为外部 IP,从而建立传出连接。当返回的数据包返回时,它会经过转换,但现在不符合检查状态规则,因为数据包具有内部 IP。仍在寻找解决方案。

答案1

从这个问题来看,解决方案应该是显而易见的,即地址转换总是在检查状态规则之前发生。地址转换需要拆分。

上面找到的规则的更正版本是:

add 00050 divert natd ip4 from any to any via wan0 in
add 00060 check-state

# Talking to myself
add 00200 allow ip from me to me keep-state

# HTTP
add 11010 skipto 63000 tcp from any to me http,https setup keep-state
add 11011 skipto 63000 tcp from any to me6 http,https setup keep-state

# General Network - ICMP
add 61001 allow icmp from any to any

# Last rule of "normal" traffic
add 62000 deny ip from any to any

# Only for my outbound and specifically allowed incoming
add 63000 divert natd ip from any to any via wan0 out
add 63001 allow ip from any to any

# XXX last rule is deny everything

相关内容