20170615_jeffrey - silenceuncrio/diary GitHub Wiki
這次的 release 我還有一個新的 issue - 0000433: [DMZ] DMZ no effect
version: 2017/6/8
PC-A <-LAN-> M300 <-WAN-> PC-B
PC-A : 192.168.1.50
PC-A : iperf -s -u -p 7000 (UDP Server)
PC-A : iperf -s (TCP server)
M300 : DMZ enable (192.168.1.50)
PC-B command :
iperf -c 192.168.2.1 (TCP test)
iperf -c 192.168.2.1 -u -p 7000 (UDP test)
Result:
1. PC-B ping 192.168.2.1 fail
2. PC-B : iperf -c 192.168.2.1 fail
3. PC-B : iperf -c 192.168.2.1 -u -p 7000 fail
從 aaron 那邊借來了 ariel 申請的 公司 notebook
- IP: 192.168.2.33
- Mask: 255.255.255.0
- Default Gateway: 192.168.2.1
將手邊的 M300 的 WAN Ethernet 做如下設定
- Work As: Static IPv4
- Static IPv4 Configuration
- IP Address: 192.168.2.1
- IP Mask: 255.255.255.0
- Gateway Address: 192.168.2.33
就稱 ariel 申請的 公司 notebook 為 wan-side pc
+---------------------+
| |
| wan-side pc |
| |
+---+-----------------+
| 192.168.2.33
|
|
| 192.168.2.1(wan)
+---+-----------------+
| |
| M300 |
| |
+---------------------+
先利用 ping 來確認 wan-side pc 和 M300 的連線
-
pingfromwan-side pctoM300- pass
-
pingfromM300towan-side pc- fail
- 待確認是什麼原因造成
自己的桌上型 pc 跟 M300 的 LAN 端連接
+---------------------+
| |
| wan-side pc |
| |
+---+-----------------+
| 192.168.2.33
|
|
| 192.168.2.1(wan)
+---+-----------------+
| |
| M300 |
| |
+---+-----------------+
| 192.168.1.1(lan)
|
|
| 192.168.1.113
+---+-----------------+
| |
| lan-side pc |
| |
+---------------------+
先利用 ping 來確認 lan-side pc 和 M300 的連線
-
pingfromlan-side pctoM300- pass
-
pingfromM300tolan-side pc- pass
將手邊的 M300 的 DMZ 做如下設定
- Mode: Enable
- Host IP Address: 192.168.1.113
利用 iptables -t nat -L 觀察一下 nat table 下所有的 chains 的 rules
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VPNPreRouting all -- anywhere anywhere
DNatPreRouting all -- anywhere anywhere
DmzPreRouting all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
VPNPostRouting all -- anywhere anywhere
SNatPostRouting all -- anywhere anywhere
PptpPostRouting all -- anywhere anywhere
L2tpPostRouting all -- anywhere anywhere
...
DMZ 的 rule 會放在 DmzPreRouting 這個 chain
bash-4.3# iptables -t nat -nvL DmzPreRouting
Chain DmzPreRouting (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 192.168.2.1 to:192.168.1.113
-
pingfromwan-side pctoM300- fail
觀察一下 DmzPreRouting 的 counter
bash-4.3# iptables -t nat -nvL DmzPreRouting
Chain DmzPreRouting (1 references)
pkts bytes target prot opt in out source destination
4 240 DNAT all -- * * 0.0.0.0/0 192.168.2.1 to:192.168.1.113
看到有 4 個 pkts
不過怎麼沒有回應呢
跟 john 稍微聊了一下
john 表示我還需要加一個 rule 到啥 forward chain 去
可以參考 dnatcfg.c 的 ApplyDNatOn() 的 Add Rule to DNAT FWD chain
// ==========================================================================
// | Add Rule to DNAT FWD chain
// ==========================================================================
//memset(szDstIpAddr,0,sizeof(szDstIpAddr));
//IPv42String(&(pEntry->dstIpAddr), szDstIpAddr);
memset(fwszDPort,0,sizeof(fwszDPort));
strncpy(fwszDPort,szDPort,sizeof(fwszDPort));
if(3==port_type || (2==port_type && (pEntry->srcPortBen==pEntry->dstPort)))
{
memset(fwszDPort,0,sizeof(fwszDPort));
sprintf(fwszDPort, "--dport %d:%d",pEntry->dstPort,pEntry->dstPort+(pEntry->srcPortEnd-pEntry->srcPortBen));
}
else if (pEntry->dstPort!=0)
{
memset(fwszDPort,0,sizeof(fwszDPort));
sprintf(fwszDPort, "--dport %d",pEntry->dstPort);
}
IPTF_A("%s -i %s -p %s -d %s %s -m state --state NEW -j ACCEPT",IPT_UC_DNAT_FWD,szIfName, pProtocol, szDstIpAddr,fwszDPort);先找一下 john 所謂的 DNAT_FWD chain 到底放在哪
可以參考 firewallcfg.c 的 InitIpTables() 的
//============FORWARD===========
//===>Mac/Ip filter
IPTF_JOIN_AND_NEW("FORWARD",IPT_UC_MAC_FILTER,NULL);
IPTF_JOIN_AND_NEW("FORWARD",IPT_UC_IP_FILTER,NULL);
//===>Cost Sensitive(LTE rate limit....)
IPTF_JOIN_AND_NEW("FORWARD",IPT_UC_LTE_LIMIT,NULL);
//===>Management(ssh/snmp/web...)
IPTF_JOIN_AND_NEW("FORWARD",IPT_UC_MGMT_FWD,NULL);
//===>VPN(ipsec/openvpn...)
IPTF_JOIN_AND_NEW("FORWARD",IPT_UC_VPN_FWD,NULL);
//===>DNAT(port forward)
IPTF_JOIN_AND_NEW("FORWARD",IPT_UC_DNAT_FWD,NULL);先利用 john 的 DNAT_FWD user-defined chain 來作一些實驗
利用下述 command 先觀察 counter
bash-4.3# iptables -t filter -A DNAT_FWD -o lan -d 192.168.1.113
bash-4.3# iptables -t filter -A DNAT_FWD -i lan -s 192.168.1.113
確認 counter 都歸零了 - 可以利用 -Z chain 這個 option 來讓某個 chain 的 packet 和 byte counter 歸零
bash-4.3# iptables -t filter -nvL DNAT_FWD
Chain DNAT_FWD (1 references)
pkts bytes target prot opt in out source destination
0 0 all -- * lan 0.0.0.0/0 192.168.1.113
0 0 all -- lan * 192.168.1.113 0.0.0.0/0
bash-4.3# iptables -t nat -nvL DmzPreRouting
Chain DmzPreRouting (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 192.168.2.1 to:192.168.1.113
-
pingfromwan-side pctoM300-
ping 192.168.2.1 -s 4- 只送四次
-
bash-4.3# iptables -t nat -nvL DmzPreRouting
Chain DmzPreRouting (1 references)
pkts bytes target prot opt in out source destination
4 400 DNAT all -- * * 0.0.0.0/0 192.168.2.1 to:192.168.1.113
bash-4.3# iptables -t filter -nvL DNAT_FWD
Chain DNAT_FWD (1 references)
pkts bytes target prot opt in out source destination
4 400 all -- * lan 0.0.0.0/0 192.168.1.113
0 0 all -- lan * 192.168.1.113 0.0.0.0/0
從 counter 看來始有往 lan 這 interface 送了 4 個 packets 出去給 192.168.1.113
那為什麼沒看到從 lan 進來的 packet 呢
先不管 ping 的行為
目前發現只要在 john 的 DNAT_FWD user-defined chain 多加一條下面的 rule 便能讓 DQA 的 iperf test pass 了
iptables -t filter -A DNAT_FWD -o lan -d 192.168.1.113 -m state --state NEW -j ACCEPT
因為昨天 DQA 還提到當 DMZ 打開時, 從 wan-side 去 ping M300 也不會回
我想就順便修改
當要 append rule 到 DmzPreRouting
要特別指明 protocol 為 tcp 和 udp
diff --git a/proscend/prosrc/icos/icoslib/dmz/dmzcfg.c b/proscend/prosrc/icos/icoslib/dmz/dmzcfg.c
index 0be96f7..a5dbc72 100644
--- a/proscend/prosrc/icos/icoslib/dmz/dmzcfg.c
+++ b/proscend/prosrc/icos/icoslib/dmz/dmzcfg.c
@@ -238,9 +238,17 @@ static int _notify(PRO_EVENT *pevent)
char szSrcIpAddr[16], szDstIpAddr[16];
IPv42String(&wanIpRmt, szSrcIpAddr);
IPv42String(&(pconfig->hostIpAddr), szDstIpAddr);
+
IPTN_F(IPT_UC_DMZ_PRER);
- IPTN_A("%s -d %s -j DNAT --to-destination %s",
+ IPTN_A("%s -p tcp -d %s -j DNAT --to-destination %s",
+ IPT_UC_DMZ_PRER, szSrcIpAddr, szDstIpAddr);
+ IPTN_A("%s -p udp -d %s -j DNAT --to-destination %s",
IPT_UC_DMZ_PRER, szSrcIpAddr, szDstIpAddr);
+
+ IPTN_F(IPT_UC_DMZ_FWD);
+ IPTF_A("%s -o lan -d %s -m state --state NEW -j ACCEPT",
+ IPT_UC_DMZ_FWD, szDstIpAddr);
+
}
else
{
@@ -251,6 +259,7 @@ static int _notify(PRO_EVENT *pevent)
{
CPRT("ATTVAL_MODE_OFF\n");
IPTN_F(IPT_UC_DMZ_PRER);
+ IPTN_F(IPT_UC_DMZ_FWD);
}
@@ -284,9 +293,17 @@ static int _notify(PRO_EVENT *pevent)
char szSrcIpAddr[16], szDstIpAddr[16];
IPv42String(&wanIpRmt, szSrcIpAddr);
IPv42String(&(setting.hostIpAddr), szDstIpAddr);
+
IPTN_F(IPT_UC_DMZ_PRER);
- IPTN_A("%s -d %s -j DNAT --to-destination %s",
+ IPTN_A("%s -p tcp -d %s -j DNAT --to-destination %s",
+ IPT_UC_DMZ_PRER, szSrcIpAddr, szDstIpAddr);
+ IPTN_A("%s -p udp -d %s -j DNAT --to-destination %s",
IPT_UC_DMZ_PRER, szSrcIpAddr, szDstIpAddr);
+
+ IPTN_F(IPT_UC_DMZ_FWD);
+ IPTF_A("%s -o lan -d %s -m state --state NEW -j ACCEPT",
+ IPT_UC_DMZ_FWD, szDstIpAddr);
+
}
}
diff --git a/proscend/prosrc/icos/icoslib/firewall/firewallcfg.c b/proscend/prosrc/icos/icoslib/firewall/firewallcfg.c
index 21be10e..3070d46 100644
--- a/proscend/prosrc/icos/icoslib/firewall/firewallcfg.c
+++ b/proscend/prosrc/icos/icoslib/firewall/firewallcfg.c
@@ -657,6 +657,7 @@ static int InitIpTables(sFirewallConfig *pCfg)
IPTF_JOIN_AND_NEW("FORWARD",IPT_UC_VPN_FWD,NULL);
//===>DNAT(port forward)
IPTF_JOIN_AND_NEW("FORWARD",IPT_UC_DNAT_FWD,NULL);
+ IPTF_JOIN_AND_NEW("FORWARD",IPT_UC_DMZ_FWD,NULL);
//===>Others(...)
//===>Filter tables(mac filter/ip filter/url filter/packet filter...)
diff --git a/proscend/prosrc/icos/include/module_firewall.h b/proscend/prosrc/icos/include/module_firewall.h
index cd9d194..621265a 100644
--- a/proscend/prosrc/icos/include/module_firewall.h
+++ b/proscend/prosrc/icos/include/module_firewall.h
@@ -108,6 +108,7 @@ extern int dimFirewallAttTypeTable;
#define IPT_UC_FW_FWD "FW_FWD" //LOW
//#define IPT_UC_FIREWALL "FIREWALL" //HIGH
#define IPT_UC_DNAT_FWD "DNAT_FWD"
+#define IPT_UC_DMZ_FWD "DmzForward"
//filter-output
#define IPT_UC_LPBK_OUT "LPBK_OUTPUT" //local loopback interface先 build 個 image 來試試
看來是搞定 DMZ 了
+--------------------------+
| wan-side pc |
| [iperf -c 192.168.2.1] |
+---+----------------------+
| 192.168.2.33
|
| 192.168.2.1(wan)
+---+----------------------+
| M300 |
| DMZ |
| * mode: enable |
| * host: 192.168.1.113 |
+---+----------------------+
| 192.168.1.1(lan)
|
| 192.168.1.113
+---+----------------------+
| lan-side pc |
| [iperf -s] |
+--------------------------+
就以上的環境配置已經 PASS
而且 wan-side pc 也能 ping 通 M300 的 192.168.2.1(wan)
剛剛 VirtualBox 因為網路的關係需要重新啟動
發現 20170103_jeffrey 重新進入 docker 的方法是錯的
其實它是 重新建立 docker...
難怪我會有那麼多的 docker container...
➜ ~ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2f192722794e m300 "/bin/bash" 4 weeks ago Up 34 seconds fervent_keller
7452da32d3b0 m300 "/bin/bash" 4 weeks ago Exited (0) 4 weeks ago elegant_swanson
19dd665674c4 m300 "/bin/bash" 9 weeks ago Exited (0) 4 weeks ago kickass_bell
dc80b8bc20f1 m300 "/bin/bash" 9 weeks ago Exited (0) 9 weeks ago admiring_borg
c8b048d6f751 jeffreyproscend/docker-whale "/bin/sh -c '/usr/gam" 3 months ago Exited (0) 3 months ago pensive_wilson
be4460d4e4ef jeffreyproscend/docker-whale "/bin/sh -c '/usr/gam" 3 months ago Exited (0) 3 months ago adoring_colden
979865f5fc93 5377cb54dbdf "/bin/sh -c '/usr/gam" 3 months ago Exited (0) 3 months ago tiny_dubinsky
8f4ace0ff0be 5377cb54dbdf "/bin/sh -c '/usr/gam" 3 months ago Exited (0) 3 months ago serene_davinci
3946e7778509 docker/whalesay "cowsay boo-what" 3 months ago Exited (0) 3 months ago gigantic_brown
822a4d4fb0f0 docker/whalesay "cowsay boo-boo" 3 months ago Exited (0) 3 months ago gloomy_wing
de450161aadf docker/whalesay "cowsay boo" 3 months ago Exited (0) 3 months ago ecstatic_bassi
74ed310a7502 hello-world "/hello" 3 months ago Exited (0) 3 months ago pensive_fermi
76209d129a5e m300 "/bin/bash" 3 months ago Exited (0) 9 weeks ago mad_noyce
f491eff34233 m300 "/bin/bash" 3 months ago Exited (0) 3 months ago kickass_mccarthy
d1600ccdcfd6 m300 "/bin/bash" 3 months ago Exited (0) 3 months ago admiring_agnesi
d8d647e1bb3e m300 "/bin/bash" 3 months ago Exited (0) 3 months ago admiring_carson
96071aed6837 m300 "/bin/bash" 3 months ago Exited (0) 3 months ago tiny_lovelace
b193cb831e55 m300 "/bin/bash" 3 months ago Exited (0) 3 months ago nostalgic_aryabhata
e7c868eabd2e m300 "/bin/bash" 5 months ago Exited (0) 3 months ago thirsty_morse
0cdaf0844d2b m300 "/bin/bash" 5 months ago Exited (0) 5 months ago sad_boyd
7352bc35a25a m300 "/bin/bash" 5 months ago Exited (0) 5 months ago reverent_noyce
54ca5c09a764 m300 "/bin/bash" 5 months ago Exited (0) 5 months ago gloomy_dijkstra
bdbfb23c7e05 m300 "/bin/bash" 5 months ago Exited (0) 5 months ago focused_sammet
39cf45d83b59 m300 "/bin/bash" 5 months ago Exited (0) 5 months ago kickass_kalam
30e08a478d9e m300 "/bin/bash" 6 months ago Exited (0) 5 months ago m300
start 最新的一個
➜ ~ docker start 2f192722794e
2f192722794e
➜ ~ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2f192722794e m300 "/bin/bash" 4 weeks ago Up About a minute fervent_keller
再 attach 該 container
➜ ~ docker attach 2f192722794e
root@2f192722794e:~#
終於可以上 code 囉
commit 6ce454572c048cef91f923e54c814f043c77aa2c
Author: jeffrey <[email protected]>
Date: Thu Jun 15 16:17:21 2017 +0800
Solve issue - 0000433: [DMZ] DMZ no effect
- add a new user-define chain 'DmzForward' in 'filter' table's 'FORWARD' chain
- add a related rule to chain 'DmzForward' when DMZ enabled
- force the rules in chain 'DmzPreRouting' only apply with protocol 'tcp' and 'udp'
- wan-side ping(ICMP request) will not match rules in chain 'DmzPreRouting'
Note: the testing verified at the following test scenario
+--------------------------+
| wan-side pc |
| [iperf -c 192.168.2.1] |
+---+----------------------+
| 192.168.2.33
|
| 192.168.2.1(wan)
+---+----------------------+
| M300 |
| DMZ |
| * mode: enable |
| * host: 192.168.1.113 |
+---+----------------------+
| 192.168.1.1(lan)
|
| 192.168.1.113
+---+----------------------+
| lan-side pc |
| [iperf -s] |
+--------------------------+