Iptables

使用 iptables 和 firejail 沙箱進行埠轉發

  • May 18, 2020

我嘗試在 Firejail 沙箱中的 8000 埠上執行 HTTP 伺服器,並使其在 8888 埠上的主機的所有介面上都可以訪問。

整個系統可以表示如下:

+----------------------------------------------------+                                       +-------------+
|                      host-112                      |                                       |  host-238   |
|                                                    |               +-------+               |             |
| +--------------------------+              +-----+  | 192.168.1.112 |       | 192.168.1.238 |   +----+    |
| |       firejail           |              |wlan0+------------------+  NAT  +-------------------+eth0|    |
| |                          |              +-----+  |               |       |               |   +----+    |
| |                          |                       |               +-------+               |             |
| |        +----+   10.0.1.2 |   10.0.1.1  +------+  |                                       |             |
| |        |eth0+--------------------------+my_br0|  |                                       |             |
| |        +----+            |             +------+  |                                       |             |
| |                          |                       |                                       |             |
| |                          |                       |                                       |             |
| |      HTTP server <---------------------------<-------------------------------------------+             |
| |      0.0.0.0:8000        |   HTTP request        |             HTTP request              +-------------+
| |                          |   10.0.1.2:8000       |          192.168.1.112:8888
| |                          |                       |
| +--------------------------+                       |
+----------------------------------------------------+

我正在使用這些命令來創建橋接介面my_br0和 iptables 規則host-112

# Create interface
sysctl -w net.ipv4.ip_forward=1
brctl addbr my_br0
ip addr add 10.0.1.1/24 dev my_br0
ip link set my_br0 up
sysctl -w net.ipv4.conf.my_br0.route_localnet=1

# Add iptables rules
iptables -t nat -A PREROUTING -p tcp --dport 8888 -j DNAT --to-destination 10.0.1.2:8000
iptables -t nat -A OUTPUT -p tcp --dport 8888 -j DNAT --to-destination 10.0.1.2:8000
iptables -t nat -A POSTROUTING -p tcp -o my_br0 -j MASQUERADE
iptables -A FORWARD -i my_br0 -p tcp --dport 8000 -j ACCEPT
iptables -A INPUT -i my_br0 -p tcp --sport 8000 -j ACCEPT

我在 firejail 沙箱中執行 HTTP 伺服器,如下所示:

firejail --noprofile --net=my_br0 --ip=10.0.1.2 python3 -m http.server 8000

當我嘗試在本地主機上執行請求時效果很好:

myself@host-112 $ curl 192.168.1.112:8888
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
...

截圖

但它不適用於同一網路上的遠端主機:

myself@host-238 $ curl 192.168.1.112:8888
curl: (7) Failed to connect to 192.168.1.112 port 8888: Connection timed out

截圖

似乎請求沒有很好地轉發到網橋介面。

以下是 host-112 上 iptables 規則的完整列表:

# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -i my_br0 -p tcp -m tcp --sport 8000 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i my_br0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

# iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -p tcp -m tcp --dport 8888 -j DNAT --to-destination 10.0.1.2:8000
-A POSTROUTING -s 172.19.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o my_br0 -p tcp -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -p tcp -m tcp --dport 8888 -j DNAT --to-destination 10.0.1.2:8000
-A DOCKER -i docker0 -j RETURNo

# iptables -S -t mangle
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

# iptables -S -t raw
-P PREROUTING ACCEPT
-P OUTPUT ACCEPT

# iptables -S -t security
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

你知道我該怎麼做才能讓它工作嗎?

我通過更改FORWARD規則使其工作:

iptables -A FORWARD -o my_br0 -j ACCEPT
iptables -A FORWARD -i my_br0 -j ACCEPT

整個命令列表現在是:

# Create interface
sysctl -w net.ipv4.ip_forward=1
brctl addbr my_br0
ip addr add 10.0.1.1/24 dev my_br0
ip link set my_br0 up
sysctl -w net.ipv4.conf.my_br0.route_localnet=1

# Add iptables rules
iptables -t nat -A PREROUTING -p tcp --dport 8888 -j DNAT --to-destination 10.0.1.2:8000
iptables -t nat -A OUTPUT -p tcp --dport 8888 -j DNAT --to-destination 10.0.1.2:8000
iptables -t nat -A POSTROUTING -p tcp -o my_br0 -j MASQUERADE
iptables -A FORWARD -o my_br0 -j ACCEPT
iptables -A FORWARD -i my_br0 -j ACCEPT
iptables -A INPUT -i my_br0 -p tcp --sport 8000 -j ACCEPT

引用自:https://unix.stackexchange.com/questions/586832

相關問答

Iptables

lxc 容器可以 ping 主機並且可以解析 dns 網際網路地址但無法訪問網際網路

  • March 6, 2021
檢視問答
Networking

iptable 如何與 Linux 橋接器一起工作?

  • November 1, 2020
檢視問答
Iptables

iptables:透明 tcp 流量代理

  • September 11, 2020
檢視問答
Ubuntu

iptables - 根據規則/名稱刪除 NAT 規則,而不是規則編號

  • August 27, 2020
檢視問答
Bash

通過“MAC”地址更改“iptables”規則

  • April 2, 2020
檢視問答
Linux

iptables-mod-tee 複製的數據包複製後去哪了?

  • November 24, 2019
檢視問答