저는 Synology NAS에서 docker를 실행하고 있습니다. nas에는 docker가 컨테이너를 배치하는 개인 네트워크(172.17.0.0/16)가 있습니다. 또한 내 LAN에는 10.11.12.10/24라는 공용 인터페이스가 있습니다.
internet
^
|
|
+----+------+
| pfSense |
+-----+-----+
|
+-----+-----+
| switch |
+-+-------+-+
| |
| |
+---+--+ +-+---+
+------->| AP | | NAS |
| +------+ +--+--+
| |
+-----+--+ +--+--------+
| laptop | | container |
+--------+ +-----------+
LAN 인터페이스에서 Docker 컨테이너로 포트 전달을 설정하고 그런 식으로 컨테이너에서 SSH에 액세스하는 것이 전적으로 가능하지만 게으른 느낌이 들기 때문에 모든 트래픽을 다음으로 리디렉션하는 경로를 pfsense 방화벽에 추가할 수 있다고 생각했습니다. 172.17.0.0/16 내 LAN에서 NAS로 직접 연결됩니다.
이 경로는 작동하는 것으로 보이며 내 LAN에서 Docker 컨테이너로 직접 SSH를 연결할 수 있습니다. 그러나 이러한 SSH 세션은 45초 이상 지속될 수 없습니다.
➜ ~ date; ssh 172.17.0.2 -l root
Wed Oct 10 21:19:32 CEST 2018
Last login: Wed Oct 10 19:16:07 2018 from 10.11.12.182
root@ubuntu1:~# while true; do date; sleep 5; done
Wed Oct 10 19:19:42 UTC 2018
Wed Oct 10 19:19:47 UTC 2018
Wed Oct 10 19:19:52 UTC 2018
Wed Oct 10 19:19:57 UTC 2018
Wed Oct 10 19:20:02 UTC 2018
Wed Oct 10 19:20:07 UTC 2018
packet_write_wait: Connection to 172.17.0.2 port 22: Broken pipe
➜ ~
➜ ~
tcpdump중지하기 전에 본 마지막 패킷랩탑다음과 같습니다.
16:38:59.072210 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633305, win 5348, options [nop,nop,TS val 561669488 ecr 134368964], length 0
16:38:59.103814 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [.], seq 9633305:9634753, ack 5966, win 199, options [nop,nop,TS val 134369004 ecr 561669467], length 1448
16:38:59.225048 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561669637 ecr 134369004], length 0
16:38:59.324726 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134369225 ecr 561669467], length 1448
16:38:59.324789 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561669736 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:00.035790 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134369666 ecr 561669467], length 1448
16:39:00.035854 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561670445 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:00.751550 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134370548 ecr 561669467], length 1448
16:39:00.751642 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561671159 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:02.493382 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134372312 ecr 561669467], length 1448
16:39:02.493451 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561672900 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:06.179874 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134375840 ecr 561669467], length 1448
16:39:06.179964 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561676574 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:13.249689 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134382896 ecr 561669467], length 1448
16:39:13.249741 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561683642 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:27.376570 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134396992 ecr 561669467], length 1448
16:39:27.376645 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561697743 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
해당 tcpdump는퍼프센스라우팅 응답이 필요하지 않으므로 노트북에서 들어오는 트래픽만 표시됩니다.
16:38:59.083374 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9632853, win 5358, options [nop,nop,TS val 561669485 ecr 134368962], length 0
16:38:59.083422 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9632905, win 5361, options [nop,nop,TS val 561669488 ecr 134368962], length 0
16:38:59.083471 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9632957, win 5359, options [nop,nop,TS val 561669488 ecr 134368962], length 0
16:38:59.083510 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633001, win 5358, options [nop,nop,TS val 561669488 ecr 134368963], length 0
16:38:59.083542 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633053, win 5356, options [nop,nop,TS val 561669488 ecr 134368963], length 0
16:38:59.083581 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633105, win 5355, options [nop,nop,TS val 561669488 ecr 134368963], length 0
16:38:59.083680 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633157, win 5353, options [nop,nop,TS val 561669488 ecr 134368963], length 0
16:38:59.083731 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633209, win 5351, options [nop,nop,TS val 561669488 ecr 134368964], length 0
16:38:59.083778 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633261, win 5350, options [nop,nop,TS val 561669488 ecr 134368964], length 0
16:38:59.083824 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633305, win 5348, options [nop,nop,TS val 561669488 ecr 134368964], length 0
16:38:59.228487 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561669637 ecr 134369004], length 0
16:38:59.328679 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561669736 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:00.039683 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561670445 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:00.755280 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561671159 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:02.497019 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561672900 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:06.183600 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561676574 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:13.255414 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561683642 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:27.380228 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561697743 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
이것나스다음을 참조하세요
16:38:59.061977 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632365:9632409, ack 5966, win 199, options [nop,nop,TS val 134368960 ecr 561669467], length 44
16:38:59.062027 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9628757, win 5360, options [nop,nop,TS val 561669467 ecr 134368941], length 0
16:38:59.062216 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632409:9632453, ack 5966, win 199, options [nop,nop,TS val 134368960 ecr 561669467], length 44
16:38:59.062437 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632453:9632505, ack 5966, win 199, options [nop,nop,TS val 134368961 ecr 561669467], length 52
16:38:59.062620 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632505:9632549, ack 5966, win 199, options [nop,nop,TS val 134368961 ecr 561669467], length 44
16:38:59.062837 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632549:9632601, ack 5966, win 199, options [nop,nop,TS val 134368961 ecr 561669467], length 52
16:38:59.062984 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632601:9632653, ack 5966, win 199, options [nop,nop,TS val 134368961 ecr 561669467], length 52
16:38:59.063200 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632653:9632697, ack 5966, win 199, options [nop,nop,TS val 134368961 ecr 561669467], length 44
16:38:59.063401 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632697:9632749, ack 5966, win 199, options [nop,nop,TS val 134368962 ecr 561669467], length 52
16:38:59.063605 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632749:9632801, ack 5966, win 199, options [nop,nop,TS val 134368962 ecr 561669467], length 52
16:38:59.063800 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632801:9632853, ack 5966, win 199, options [nop,nop,TS val 134368962 ecr 561669467], length 52
16:38:59.064021 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632853:9632905, ack 5966, win 199, options [nop,nop,TS val 134368962 ecr 561669467], length 52
16:38:59.064220 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632905:9632957, ack 5966, win 199, options [nop,nop,TS val 134368962 ecr 561669467], length 52
16:38:59.064447 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632957:9633001, ack 5966, win 199, options [nop,nop,TS val 134368963 ecr 561669467], length 44
16:38:59.064698 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9633001:9633053, ack 5966, win 199, options [nop,nop,TS val 134368963 ecr 561669467], length 52
16:38:59.064938 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9633053:9633105, ack 5966, win 199, options [nop,nop,TS val 134368963 ecr 561669467], length 52
16:38:59.065172 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9633105:9633157, ack 5966, win 199, options [nop,nop,TS val 134368963 ecr 561669467], length 52
16:38:59.065422 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9633157:9633209, ack 5966, win 199, options [nop,nop,TS val 134368964 ecr 561669467], length 52
16:38:59.065663 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9633209:9633261, ack 5966, win 199, options [nop,nop,TS val 134368964 ecr 561669467], length 52
16:38:59.065880 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9633261:9633305, ack 5966, win 199, options [nop,nop,TS val 134368964 ecr 561669467], length 44
16:38:59.105416 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [.], seq 9633305:9634753, ack 5966, win 199, options [nop,nop,TS val 134369004 ecr 561669467], length 1448
16:38:59.326452 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134369225 ecr 561669467], length 1448
16:38:59.767432 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134369666 ecr 561669467], length 1448
16:39:00.649466 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134370548 ecr 561669467], length 1448
16:39:02.413454 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134372312 ecr 561669467], length 1448
16:39:05.941490 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134375840 ecr 561669467], length 1448
16:39:12.997468 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134382896 ecr 561669467], length 1448
16:39:27.093471 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134396992 ecr 561669467], length 1448
제가 이 내용을 올바르게 읽고 있는지 잘 모르겠지만 마지막 몇 개의 패킷에는 동일한 ack/seq 값이 있습니다. 두 노드가 서로의 패킷을 볼 수 있지만 이러한 패킷이 동일한 세션의 일부라는 것을 인식할 수 없다고 믿게 됩니다.
어떤 아이디어가 있나요?
답변1
pfsense에 경로를 추가하면 트래픽이 이상해 보입니다.
노트북의 트래픽은 pfsense를 통해 반송되고 다시 NAS로 돌아온 다음 다시 컨테이너로 돌아옵니다. 그러나 컨테이너의 응답은 NAS를 통해 레이어 2 노트북으로 직접 전송됩니다. 라우팅이 필요하지 않습니다.
그 결과 해당 패킷만 허용하는 NAS의 방화벽이 혼란스러워지고 SSH 패킷과 첫 번째 SSH 연결 패킷 간의 관계가 무효화됩니다.
내 생각엔 NAS의 iptables conntrack이 세션을 종료하는 것 같습니다.
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DEFAULT_FORWARD
-N DOCKER
-N DOCKER-ISOLATION
-A FORWARD -j DEFAULT_FORWARD
-A DEFAULT_FORWARD -j DOCKER-ISOLATION
-A DEFAULT_FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DEFAULT_FORWARD -o docker0 -j DOCKER
-A DEFAULT_FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A DEFAULT_FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
pfsense에서 경로를 제거하고 노트북에서 직접 구성하는 것이 더 잘 작동하는 것 같습니다.
macOS에서 경로를 추가하는 방법:
sudo route add 172.17.0.0/16 10.11.12.10