ssh para quebra de contêiner do Docker após 45 segundos

0

Eu tenho o docker em execução em uma sinologia nas. O nas tem uma rede privada (172.17.0.0/16) onde o docker coloca os contêineres. Ele também tem uma interface voltada para o público na minha lan, chame de 10.11.12.10/24.

                   internet
                      ^
                      |
                      |
                 +----+------+
                 |  pfSense  |
                 +-----+-----+
                       |
                 +-----+-----+
                 |   switch  |
                 +-+-------+-+
                   |       |
                   |       |
               +---+--+  +-+---+
      +------->|  AP  |  | NAS |
      |        +------+  +--+--+
      |                     |
+-----+--+               +--+--------+
| laptop |               | container |
+--------+               +-----------+

É totalmente possível configurar o encaminhamento de porta da interface lan para um contêiner docker e acessar o ssh em um contêiner dessa maneira, mas eu estava me sentindo preguiçoso, então pensei em adicionar uma rota no meu firewall pfsense que redirecionaria todo o tráfego para 172.17.0.0/16 do meu lan diretamente para o nas.

A rota parece funcionar, é possível ssh para contêineres diretamente da minha lan. Mas nenhuma sessão do tipo ssh pode viver mais de 45 segundos.

➜  ~ date; ssh 172.17.0.2 -l root
Wed Oct 10 21:19:32 CEST 2018
Last login: Wed Oct 10 19:16:07 2018 from 10.11.12.182
root@ubuntu1:~# while true; do date; sleep 5; done
Wed Oct 10 19:19:42 UTC 2018
Wed Oct 10 19:19:47 UTC 2018
Wed Oct 10 19:19:52 UTC 2018
Wed Oct 10 19:19:57 UTC 2018
Wed Oct 10 19:20:02 UTC 2018
Wed Oct 10 19:20:07 UTC 2018
packet_write_wait: Connection to 172.17.0.2 port 22: Broken pipe
➜  ~
➜  ~

Os últimos pacotes antes de serem vistos com tcpdump no laptop são assim:

16:38:59.072210 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633305, win 5348, options [nop,nop,TS val 561669488 ecr 134368964], length 0                               
16:38:59.103814 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [.], seq 9633305:9634753, ack 5966, win 199, options [nop,nop,TS val 134369004 ecr 561669467], length 1448           
16:38:59.225048 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561669637 ecr 134369004], length 0                               
16:38:59.324726 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134369225 ecr 561669467], length 1448          
16:38:59.324789 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561669736 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:00.035790 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134369666 ecr 561669467], length 1448          
16:39:00.035854 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561670445 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:00.751550 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134370548 ecr 561669467], length 1448          
16:39:00.751642 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561671159 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:02.493382 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134372312 ecr 561669467], length 1448          
16:39:02.493451 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561672900 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:06.179874 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134375840 ecr 561669467], length 1448          
16:39:06.179964 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561676574 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:13.249689 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134382896 ecr 561669467], length 1448          
16:39:13.249741 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561683642 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:27.376570 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134396992 ecr 561669467], length 1448          
16:39:27.376645 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561697743 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0

O tcpdump correspondente em pfsense só vê o tráfego do laptop, pois as respostas não precisam ser roteadas

16:38:59.083374 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9632853, win 5358, options [nop,nop,TS val 561669485 ecr 134368962], length 0                                 
16:38:59.083422 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9632905, win 5361, options [nop,nop,TS val 561669488 ecr 134368962], length 0                                 
16:38:59.083471 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9632957, win 5359, options [nop,nop,TS val 561669488 ecr 134368962], length 0                                 
16:38:59.083510 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633001, win 5358, options [nop,nop,TS val 561669488 ecr 134368963], length 0                                 
16:38:59.083542 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633053, win 5356, options [nop,nop,TS val 561669488 ecr 134368963], length 0                                 
16:38:59.083581 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633105, win 5355, options [nop,nop,TS val 561669488 ecr 134368963], length 0                                 
16:38:59.083680 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633157, win 5353, options [nop,nop,TS val 561669488 ecr 134368963], length 0                                 
16:38:59.083731 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633209, win 5351, options [nop,nop,TS val 561669488 ecr 134368964], length 0                                 
16:38:59.083778 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633261, win 5350, options [nop,nop,TS val 561669488 ecr 134368964], length 0                                 
16:38:59.083824 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9633305, win 5348, options [nop,nop,TS val 561669488 ecr 134368964], length 0                                 
16:38:59.228487 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561669637 ecr 134369004], length 0                                 
16:38:59.328679 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561669736 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:00.039683 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561670445 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:00.755280 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561671159 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:02.497019 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561672900 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:06.183600 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561676574 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:13.255414 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561683642 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0
16:39:27.380228 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9634753, win 5363, options [nop,nop,TS val 561697743 ecr 134369004,nop,nop,sack 1 {9628757:9630205}], length 0

O nas vê o seguinte

16:38:59.061977 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632365:9632409, ack 5966, win 199, options [nop,nop,TS val 134368960 ecr 561669467], length 44            
16:38:59.062027 IP 10.11.12.182.64941 > 172.17.0.2.22: Flags [.], ack 9628757, win 5360, options [nop,nop,TS val 561669467 ecr 134368941], length 0                               
16:38:59.062216 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632409:9632453, ack 5966, win 199, options [nop,nop,TS val 134368960 ecr 561669467], length 44              
16:38:59.062437 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632453:9632505, ack 5966, win 199, options [nop,nop,TS val 134368961 ecr 561669467], length 52              
16:38:59.062620 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632505:9632549, ack 5966, win 199, options [nop,nop,TS val 134368961 ecr 561669467], length 44              
16:38:59.062837 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632549:9632601, ack 5966, win 199, options [nop,nop,TS val 134368961 ecr 561669467], length 52              
16:38:59.062984 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632601:9632653, ack 5966, win 199, options [nop,nop,TS val 134368961 ecr 561669467], length 52              
16:38:59.063200 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632653:9632697, ack 5966, win 199, options [nop,nop,TS val 134368961 ecr 561669467], length 44              
16:38:59.063401 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632697:9632749, ack 5966, win 199, options [nop,nop,TS val 134368962 ecr 561669467], length 52              
16:38:59.063605 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632749:9632801, ack 5966, win 199, options [nop,nop,TS val 134368962 ecr 561669467], length 52              
16:38:59.063800 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632801:9632853, ack 5966, win 199, options [nop,nop,TS val 134368962 ecr 561669467], length 52              
16:38:59.064021 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632853:9632905, ack 5966, win 199, options [nop,nop,TS val 134368962 ecr 561669467], length 52              
16:38:59.064220 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632905:9632957, ack 5966, win 199, options [nop,nop,TS val 134368962 ecr 561669467], length 52              
16:38:59.064447 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9632957:9633001, ack 5966, win 199, options [nop,nop,TS val 134368963 ecr 561669467], length 44              
16:38:59.064698 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9633001:9633053, ack 5966, win 199, options [nop,nop,TS val 134368963 ecr 561669467], length 52              
16:38:59.064938 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9633053:9633105, ack 5966, win 199, options [nop,nop,TS val 134368963 ecr 561669467], length 52              
16:38:59.065172 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9633105:9633157, ack 5966, win 199, options [nop,nop,TS val 134368963 ecr 561669467], length 52              
16:38:59.065422 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9633157:9633209, ack 5966, win 199, options [nop,nop,TS val 134368964 ecr 561669467], length 52              
16:38:59.065663 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9633209:9633261, ack 5966, win 199, options [nop,nop,TS val 134368964 ecr 561669467], length 52              
16:38:59.065880 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9633261:9633305, ack 5966, win 199, options [nop,nop,TS val 134368964 ecr 561669467], length 44              
16:38:59.105416 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [.], seq 9633305:9634753, ack 5966, win 199, options [nop,nop,TS val 134369004 ecr 561669467], length 1448             
16:38:59.326452 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134369225 ecr 561669467], length 1448            
16:38:59.767432 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134369666 ecr 561669467], length 1448            
16:39:00.649466 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134370548 ecr 561669467], length 1448            
16:39:02.413454 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134372312 ecr 561669467], length 1448            
16:39:05.941490 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134375840 ecr 561669467], length 1448            
16:39:12.997468 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134382896 ecr 561669467], length 1448            
16:39:27.093471 IP 172.17.0.2.22 > 10.11.12.182.64941: Flags [P.], seq 9628757:9630205, ack 5966, win 199, options [nop,nop,TS val 134396992 ecr 561669467], length 1448          

Não tenho certeza se li corretamente, mas os últimos pacotes têm os mesmos valores de ack / seq. Levando-me a acreditar que ambos os nós vêem os pacotes uns dos outros, mas são incapazes de perceber que os pacotes fazem parte da mesma sessão.

Alguma ideia?

    
por azzid 10.10.2018 / 20:55

1 resposta

1

Adicionar a rota ao pfsense torna o fluxo de tráfego estranho.

O tráfego do laptop pula sobre o pfsense, volta para o nas e depois para o contêiner. No entanto, as respostas do contêiner serão enviadas diretamente pelo nas para o laptop na camada 2. Nenhum roteamento necessário.

Uma conseqüência disso é que o firewall no nas que permite apenas pacotes relacionados se confunde e invalida a relação entre os pacotes ssh e o primeiro pacote de conexão ssh.

Meu palpite é que o conntrack do iptables no nas está matando a sessão.

# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DEFAULT_FORWARD
-N DOCKER
-N DOCKER-ISOLATION
-A FORWARD -j DEFAULT_FORWARD
-A DEFAULT_FORWARD -j DOCKER-ISOLATION
-A DEFAULT_FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DEFAULT_FORWARD -o docker0 -j DOCKER
-A DEFAULT_FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A DEFAULT_FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN

Remover a rota do pfsense e configurá-la diretamente no laptop parece funcionar muito melhor.

Como adicionar rota no macOS:

sudo route add 172.17.0.0/16 10.11.12.10
    
por 11.10.2018 / 20:28