다음을 고려하면:
Middleman이라는 호스트에는 다음과 같은 인터페이스가 있습니다.
상호 작용 | 주소 | 장소 | 마스터 VRF |
---|---|---|---|
enpu1s0 | 192.168.2.99 | 엑스트라넷 | VRF-외층 |
enpu2s0 | 192.168.2.1 | 인트라넷 | VRF-내부 |
외부 네트워크에 기본 게이트웨이 192.168.2.1이 있고 다른 네트워크 192.168.3.0/24가 있다고 가정합니다. 외부 네트워크에 192.168.2.22 머신이 있고 내부 네트워크에 동일한 IP를 가진 머신이 있는 경우 192.168.3.0/24 네트워크를 사용하여 서로 통신할 수 있습니다. 외부 네트워크의 호스트 192.168.2.22가 내부 네트워크의 192.168.2.22에 연결하려는 경우 IP 192.168.3.22를 사용합니다. enp1s0, dstnat:ed로 전송되고, vrf-outer, srcnat:ed를 통해 라우팅되고, enp2s0을 통해 올바른 시스템으로 라우팅됩니다. 그러면 응답은 conntrack nat를 사용하여 반환될 때 동일한 경로를 사용합니다.
현재 질문에서 수정된 구성을 사용하여 몇 가지 작업이 진행 중입니다.여기, 그러나 외부 네트워크 192.168.2.99의 컴퓨터에서는 SSH를 사용할 수 없습니다. 대신 vrf-outer(wireshark를 통해 발견)에서 "연결이 거부되었습니다"라는 메시지가 표시됩니다. 동일한 시스템에서 192.168.2.99를 핑하면 내부 및 외부 네트워크(및 인터넷)에 있는 시스템 간의 모든 통신이 작동합니다.
ssh 192.168.2.99
외부 호스트 192.168.2.234에서 명령을 실행합니다. 메시지 흐름은 다음과 같습니다.
- 외부 호스트 -> enp1s0 (192.168.234 -> 192.168.2.99) [SYN]
- enp1s0 -> VRF 외부 (192.168.234 -> 192.168.2.99) [SYN]
- vrf-외부 -> enp1s0 (192.168.99 -> 192.168.2.234) [RST, ACK]
- enp1s0 -> 외부 호스트 (192.168.99 -> 192.168.2.234) [RST, ACK]
conntrack -L
이 연결에 대한 추적은 표시되지 않으며 모든 규칙 nft monitor trace
만 verdict accept
표시됩니다. Firewalld는 모든 인터페이스와 영역에서 SSH를 허용하도록 구성됩니다.
내가 사용하는 구성은 아래에 포함되어 있습니다. 시간 내 주셔서 감사합니다!
#!/bin/bash
TW_INT="vrf-tw-int"
TW_EXT="vrf-tw-ext"
EXT="enp1s0"
INT="enp2s0"
DESIRED_ZONE="FedoraServer"
############################### SET ECHO COMMAND WHEN EXECUTING ###################################
set -x
############################### ENABLE IP-FORWARDING ##############################################
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
############################### REMOVE OLD VRF INTERFACES #########################################
nmcli con del ${TW_INT} || true
nmcli con del ${TW_EXT} || true
############################### ADD VRF INTERFACES ################################################
nmcli con add type vrf con-name ${TW_INT} ifname ${TW_INT} table 100 ipv4.method disabled ipv6.method disabled
nmcli con add type vrf con-name ${TW_EXT} ifname ${TW_EXT} table 200 ipv4.method disabled ipv6.method disabled
############################### SET VRF INTERFACES UP #############################################
nmcli con up ${TW_INT}
nmcli con up ${TW_EXT}
############################### ADD VRF INTERFACES TO ACTUAL INTERFACES ###########################
nmcli con mod ${INT} master ${TW_INT}
nmcli con mod ${EXT} master ${TW_EXT}
nmcli con up ${INT}
nmcli con up ${EXT}
############################### ADD IP-ADDRESSES ##################################################
nmcli con mod ${INT} ipv4.addresses 192.168.2.1/24
nmcli con mod ${INT} ipv4.method manual
nmcli con up ${INT}
ip route show table 100
ip route show table 200
ip route
############################### MOVE INTERFACES IN FIREWALLD AND SET FORWARD ######################
ZONE_INT=$(firewall-cmd --get-zone-of-interface=${INT})
ZONE_EXT=$(firewall-cmd --get-zone-of-interface=${EXT})
ZONE_TW_INT=$(firewall-cmd --get-zone-of-interface=${TW_INT})
ZONE_TW_EXT=$(firewall-cmd --get-zone-of-interface=${TW_EXT})
firewall-cmd --zone=${DESIRED_ZONE} --add-forward --permanent
firewall-cmd --zone=${ZONE_INT} --remove-interface ${INT} --permanent
firewall-cmd --zone=${ZONE_EXT} --remove-interface ${EXT} --permanent
firewall-cmd --zone=${ZONE_TW_INT} --remove-interface ${TW_INT} --permanent
firewall-cmd --zone=${ZONE_TW_EXT} --remove-interface ${TW_EXT} --permanent
firewall-cmd --zone=${DESIRED_ZONE} --add-interface ${INT} --permanent
firewall-cmd --zone=${DESIRED_ZONE} --add-interface ${EXT} --permanent
firewall-cmd --zone=${DESIRED_ZONE} --add-interface ${TW_INT} --permanent
firewall-cmd --zone=${DESIRED_ZONE} --add-interface ${TW_EXT} --permanent
firewall-cmd --reload
ip addr
############################### ADD CONNTRACK LABELS ##############################################
mkdir -p /etc/xtables
cat << EOF > /etc/xtables/connlabel.conf
1 INSIDE
2 OUTSIDE
EOF
ln -s /etc/xtables/connlabel.conf /etc/connlabel.conf
ln -s /etc/xtables/connlabel.conf /etc/nftables/connlabel.conf
############################### ADD ROUTING RULES FOR MARKED PACKETS ##############################
ip rule add prio 100 fwmark 100 lookup 200
ip rule add prio 200 fwmark 200 lookup 100
############################### ADD DEFAULT ROUTE FOR MACHINE #####################################
ip route add default via 192.168.2.1 dev ${EXT}
############################### FIX VRF ROUTE SOURCES #############################################
ip route del 192.168.2.0/24 dev ${EXT} proto kernel scope link src 192.168.2.99 metric 105 table 200 || true
ip route add 192.168.2.0/24 dev ${EXT} proto kernel scope link metric 105 table 200 || true
ip route del default via 192.168.2.1 dev ${EXT} proto dhcp src 192.168.2.99 metric 105 table 200 || true
ip route add default via 192.168.2.1 dev ${EXT} proto dhcp metric 105 table 200 || true
ip route del 192.168.2.0/24 dev ${INT} proto kernel scope link src 192.168.2.1 metric 106 table 100 || true
ip route add 192.168.2.0/24 dev ${INT} proto kernel scope link metric 106 table 100 || true
############################### ADD TABLES AND FLUSH OLD TABLES ###################################
nft 'add table ip twilight'
nft 'delete table ip twilight'
nft 'add table ip twilight'
############################### ADD PREROUTING CHAINS #############################################
nft 'add chain ip twilight prerouting { type nat hook prerouting priority -100; policy accept; }'
############################### ADD PREROUTING MANGLE CHAINS ######################################
nft 'add chain ip twilight premangle { type filter hook prerouting priority -180; policy accept; }'
############################### ADD RAW (PRE-CONNTRACK) CHAINS ####################################
nft 'add chain ip twilight raw { type filter hook prerouting priority raw; policy accept; }'
############################### ADD POSTROUTING CHAINS ############################################
nft 'add chain ip twilight postrouting { type nat hook postrouting priority 100; policy accept; }'
############################### ADD FORWARDING CHAINS #############################################
nft 'add chain ip twilight forward { type filter hook forward priority filter; policy accept; }'
############################### ADD EXTERNAL TRANSLATION MAPS #####################################
nft 'add map ip twilight from_192_168_3_0_to_192_168_2_0 { type ipv4_addr: ipv4_addr; }'
############################### ADD INTERNAL TRANSLATION MAPS #####################################
nft 'add map ip twilight from_192_168_2_0_to_192_168_3_0 { type ipv4_addr: ipv4_addr; }'
############################### ADD DEBUG RULES FOR ALL PACKETS ###################################
nft 'add rule ip twilight prerouting meta nftrace set 1'
nft 'add rule ip twilight postrouting meta nftrace set 1'
nft 'add rule ip twilight forward meta nftrace set 1'
nft 'add rule ip twilight raw meta nftrace set 1'
nft 'add rule ip twilight premangle meta nftrace set 1'
############################### ADD DNAT RULES ####################################################
nft 'add rule ip twilight prerouting ip daddr 192.168.3.0/24 meta nftrace set 1 dnat to ip daddr map @from_192_168_3_0_to_192_168_2_0'
############################### ADD ROUTING RULES - MARK PACKETS ##################################
nft "add rule ip twilight raw iif "${INT}" ip daddr 192.168.3.0/24 meta mark set 100"
nft "add rule ip twilight raw iif "${EXT}" ip daddr 192.168.3.0/24 meta mark set 200"
nft "add rule ip twilight prerouting iif "${INT}" ip daddr != 192.168.3.0/24 ct label set INSIDE"
nft "insert rule ip twilight premangle iif "${EXT}" ct label INSIDE meta mark set 200"
############################### TELL CONNTRACK ORIGINAL ZONES FOR MARKED PACKETS ##################
nft "add rule ip twilight raw iif "${INT}" ip saddr 192.168.2.0/24 ip daddr != 192.168.2.0/24 ct original zone set 100"
nft "add rule ip twilight raw iif "${EXT}" ip saddr 192.168.2.0/24 ip daddr != 192.168.2.0/24 ct original zone set 200"
############################### ADD SNAT RULES ####################################################
nft 'add rule ip twilight postrouting ip saddr 192.168.2.0/24 ip daddr 192.168.2.0/24 meta nftrace set 1 snat to ip saddr map @from_192_168_2_0_to_192_168_3_0'
############################### ADD TWILIGHT -> WORLD MASQUERADE ##################################
nft "add rule ip twilight postrouting iif "${TW_INT}" oif "${EXT}" ip daddr != 192.168.2.0/24 meta nftrace set 1 masquerade"
############################### ADD TWILIGHT -> REGLER FORWARDING #################################
nft "add rule ip twilight forward iif "${INT}" meta nftrace set 1 accept"
nft "add rule ip twilight forward iif "${TW_EXT}" meta nftrace set 1 accept"
nft "add rule ip twilight forward oif "${INT}" meta nftrace set 1 accept"
############################### ADD REGLER -> TWILIGHT FORWARDING #################################
nft "add rule ip twilight forward iif "${EXT}" ip daddr 192.168.3.0/24 meta nftrace set 1 accept"
############################### ADD ELEMENTS TO INTERNAL TRANSLATION MAP ##########################
nft 'include "/etc/nftables/nft-host-alias-twilight-192.168.2.0-192.168.3.0"'
############################### ADD ELEMENTS TO EXTERNAL TRANSLATION MAP ##########################
nft 'include "/etc/nftables/nft-host-alias-twilight-192.168.3.0-192.168.2.0"'
############################### MAKE FIREWALLD IGNORE TWILIGHT TRAFFIC ############################
FIREWALLD_CHAINS="mangle_PREROUTING nat_PREROUTING nat_POSTROUTING nat_OUTPUT filter_PREROUTING filter_INPUT filter_FORWARD filter_OUTPUT"
for CHAIN in ${FIREWALLD_CHAINS}; do
nft "insert rule inet firewalld "${CHAIN}" iif "${TW_INT}" accept"
nft "insert rule inet firewalld "${CHAIN}" iif "${TW_EXT}" accept"
nft "insert rule inet firewalld "${CHAIN}" iif "${EXT}" oif "${INT}" accept"
nft "insert rule inet firewalld "${CHAIN}" iif "${EXT}" ip daddr 192.168.3.0/24 accept"
nft "insert rule inet firewalld "${CHAIN}" iif "${EXT}" oif "${TW_INT}" accept"
nft "insert rule inet firewalld "${CHAIN}" iif "${EXT}" oif "${TW_EXT}" accept"
nft "insert rule inet firewalld "${CHAIN}" iif "${INT}" oif "${EXT}" accept"
nft "insert rule inet firewalld "${CHAIN}" iif "${INT}" ip daddr 192.168.221.0/24 accept"
nft "insert rule inet firewalld "${CHAIN}" iif "${INT}" oif "${TW_INT}" accept"
nft "insert rule inet firewalld "${CHAIN}" iif "${INT}" oif "${TW_EXT}" accept"
done
답변1
위에 표시된 구성은 예상대로 작동하지만 한 가지 주의 사항이 있습니다. VRF 인터페이스에는 다중 테넌트 애플리케이션을 처리하기 위한 VRF 컨텍스트가 포함되어 있습니다. 즉, 애플리케이션은 VRF를 인식하고 특정 VRF 컨텍스트만 수신하며, 달리 지정하지 않는 한 모든 프로그램은 기본 VRF 컨텍스트에서 실행됩니다. 내 트래픽은 vrf-outer 컨텍스트로 라우팅되므로 해당 vrf 컨텍스트를 수신하는 SSH 서버가 없기 때문에 트래픽이 삭제됩니다.
다음 명령을 실행하면 기본 VRF 컨텍스트에서 수신 대기하는 프로그램이 모든 컨텍스트에서 작동하도록 할 수 있습니다.
sysctl -w net.ipv4.tcp_l3mdev_accept=1
sysctl -w net.ipv4.udp_l3mdev_accept=1
에 기록된 대로VRF 인터페이스에 대한 커널 문서.
l3mdev_accept 옵션이 없기 때문에 ipv6에서는 작동하지 않는 것 같습니다. ipv6에 이것이 필요하지 않은 이유가 명확하지 않습니다.