Iptables
Docker 數據包沒有被偽裝(儘管有 NAT 規則)
在裝有 Debian 9(Linux 核心 4.9)的機器上,我有一個 Docker(18.06.1),其中一些容器處於 brigde 模式。由於某些奇怪的原因,來自 Docker 的一些數據包設法繞過
MASQUERADE
規則,enp2s0
是一個公共介面(Docker 使用docker0
介面172.17.0.1
)。$ tcpdump -vvlnn -i enp2s0 port 3000 and src net 172.16.0.0/12 tcpdump: listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes 11:57:49.918655 IP (tos 0x0, ttl 63, id 62271, offset 0, flags [DF], proto TCP (6), length 52) 172.17.0.2.55664 > x.x.x.x.3000: Flags [F.], cksum 0xe40c (correct), seq 9863202, ack 476959401, win 856, options [nop,nop,TS val 1382910659 ecr 2481487487], length 0 11:57:50.126683 IP (tos 0x0, ttl 63, id 62272, offset 0, flags [DF], proto TCP (6), length 52) 172.17.0.2.55664 > x.x.x.x.3000: Flags [F.], cksum 0xe3d8 (correct), seq 0, ack 1, win 856, options [nop,nop,TS val 1382910711 ecr 2481487487], length 0 11:57:50.546660 IP (tos 0x0, ttl 63, id 62273, offset 0, flags [DF], proto TCP (6), length 52) 172.17.0.2.55664 > x.x.x.x.3000: Flags [F.], cksum 0xe36f (correct), seq 0, ack 1, win 856, options [nop,nop,TS val 1382910816 ecr 2481487487], length 0
NAT 規則來自
iptables-save
:*nat :PREROUTING ACCEPT [11397418:724275374] :INPUT ACCEPT [39095:3038067] :OUTPUT ACCEPT [1328340:79997617] :POSTROUTING ACCEPT [5102467:306147980] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -o enp2s0 -j MASQUERADE -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 5501 -j MASQUERADE -A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 5500 -j MASQUERADE -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 3000 -j MASQUERADE -A DOCKER -i docker0 -j RETURN -A DOCKER ! -i docker0 -p tcp -m tcp --dport 48842 -j DNAT --to-destination 172.17.0.3:5501 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 48841 -j DNAT --to-destination 172.17.0.3:5500 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 13119 -j DNAT --to-destination 172.17.0.2:3000
我試圖添加
MANGLE
規則來擷取這些數據包,但到目前為止沒有任何成功:*mangle :PREROUTING ACCEPT [44457014385:7315518035795] :INPUT ACCEPT [404840097:241773793538] :FORWARD ACCEPT [44052174279:7073744241603] :OUTPUT ACCEPT [526370610:171137381220] :POSTROUTING ACCEPT [44578544703:7244881613871] :bogus - [0:0] :spoofing - [0:0] -A PREROUTING -s 192.168.0.0/24 -i enp2s0 -j spoofing -A PREROUTING -s 10.0.0.0/8 -i enp2s0 -j spoofing -A PREROUTING -s 172.16.0.0/12 -i enp2s0 -j spoofing -A PREROUTING -s 127.0.0.0/8 ! -i lo -j spoofing -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j bogus -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j bogus -A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j bogus -A bogus -j LOG --log-prefix "BOGUS: " -A bogus -j DROP -A spoofing -j LOG --log-prefix "IP SPOOF: " -A spoofing -j DROP COMMIT
知道如何阻止這些數據包嗎?
轉發數據包:
iptables -vnL FORWARD Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 44G 7074G DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 44G 7074G DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 16G 4358G ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 54M 3269M DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 28G 2712G ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT all -- docker0 enp2s0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp2s0 docker0 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "fw forward drop " 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
轉發規則(部分由 Docker 注入):
-A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -m state --state INVALID -j DROP -A FORWARD -i docker0 -o enp2s0 -j ACCEPT -A FORWARD -i enp2s0 -o docker0 -j ACCEPT
鏈也
OUTPUT
應該丟棄無效數據包:-A OUTPUT -m state --state INVALID -j DROP
這些數據包可能具有 INVALID conntrack 狀態。嘗試將規則添加到
filter/FORWARD
鏈中以將其刪除。iptables -I FORWARD -m conntrack --ctstate INVALID -j DROP
此外,nat 目標僅處理從第一個數據包到最後一個數據包的連接。這意味著,如果您添加或刪除 nat 規則,該規則將僅影響新連接,但現有連接(已建立)不會受到影響。