Linux-Networking
我可以使用wireshark/數據包擷取驗證埠轉發失敗嗎
我最近配置了一個 Debian 9 伺服器(Debian 4.9.130-2)作為輕量級伺服器執行,執行一系列 Docker 容器(nextcloud、sync 等)以及 ssh 等基本服務。服務已正確配置並正常執行:我可以從 LAN 上的任何設備連接到 ssh 和 docker 容器,而不會出現任何明顯的問題。但是,從網路外部連接的嘗試不會到達伺服器。此時,我正在嘗試測試故障是在路由器上還是在伺服器上,因為兩者似乎都已正確配置。為此,我在路由器上設置了數據包擷取,然後嘗試了幾次從 VPN 到轉發埠的入站連接嘗試。
這是來自wireshark的一個片段,它表明(我認為)流量確實被路由器重定向了。
首先,在路由器上抓包:
No. Time Source Destination Protocol Length Info 2265 26.624915 196.52.84.12 87.75.107.144 TCP 80 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326616015 TSecr=0 SACK_PERM=1 2382 27.746737 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326617017 TSecr=0 SACK_PERM=1 2470 28.626743 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326618019 TSecr=0 SACK_PERM=1 2590 29.666995 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326619020 TSecr=0 SACK_PERM=1 2688 30.687513 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326620023 TSecr=0 SACK_PERM=1 2719 31.667451 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326621028 TSecr=0 SACK_PERM=1 2868 33.696000 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326623032 TSecr=0 SACK_PERM=1 3254 37.657240 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326627033 TSecr=0 SACK_PERM=1 3861 45.658800 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326635033 TSecr=0 SACK_PERM=1 4132 48.150464 196.52.84.12 87.75.107.144 TCP 80 57788 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326377039 TSecr=0 SACK_PERM=1 4152 49.191512 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 57788 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326378040 TSecr=0 SACK_PERM=1 4207 50.160028 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 57788 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326379041 TSecr=0 SACK_PERM=1 4464 52.415812 196.52.84.12 87.75.107.144 TCP 80 57789 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326381262 TSecr=0 SACK_PERM=1 4530 53.412326 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 57789 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326382263 TSecr=0 SACK_PERM=1 4631 54.373065 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 57789 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326383263 TSecr=0 SACK_PERM=1 4684 55.380093 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 57789 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326384264 TSecr=0 SACK_PERM=1 4779 56.420386 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 57789 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326385265 TSecr=0 SACK_PERM=1 4874 57.420881 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 57789 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326386265 TSecr=0 SACK_PERM=1 5161 59.374395 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 57789 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326388265 TSecr=0 SACK_PERM=1 5381 61.774499 196.52.84.12 87.75.107.144 TCP 80 [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326651102 TSecr=0 SACK_PERM=1伺服器上的數據包擷取:
No. Time Source Destination Protocol Length Info 32179 24.444677474 196.52.84.12 192.168.1.208 TCP 78 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326616015 TSecr=0 SACK_PERM=1 33778 25.565718159 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326617017 TSecr=0 SACK_PERM=1 35147 26.445497552 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326618019 TSecr=0 SACK_PERM=1 36888 27.485382313 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326619020 TSecr=0 SACK_PERM=1 38683 28.505695805 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326620023 TSecr=0 SACK_PERM=1 40376 29.485394758 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326621028 TSecr=0 SACK_PERM=1 43649 31.513421847 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326623032 TSecr=0 SACK_PERM=1 50623 35.473792067 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326627033 TSecr=0 SACK_PERM=1 65139 43.473176096 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326635033 TSecr=0 SACK_PERM=1 69018 45.964529458 196.52.84.12 192.168.1.208 TCP 78 57788 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326377039 TSecr=0 SACK_PERM=1 70816 47.004900826 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 57788 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326378040 TSecr=0 SACK_PERM=1 72718 47.973061039 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 57788 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326379041 TSecr=0 SACK_PERM=1 77788 50.228672533 196.52.84.12 192.168.1.208 TCP 78 57789 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326381262 TSecr=0 SACK_PERM=1 80033 51.224501372 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 57789 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326382263 TSecr=0 SACK_PERM=1 82529 52.185037535 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 57789 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326383263 TSecr=0 SACK_PERM=1 84789 53.191738933 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 57789 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326384264 TSecr=0 SACK_PERM=1 87000 54.231741538 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 57789 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326385265 TSecr=0 SACK_PERM=1 88816 55.231936109 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 57789 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326386265 TSecr=0 SACK_PERM=1 92836 57.184892614 196.52.84.12 192.168.1.208 TCP 78 [TCP Retransmission] 57789 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326388265 TSecr=0 SACK_PERM=1輸出快捷鍵:
- 196.52.84.14 是連接到 VPN 時分配給我的 PC 的 IP 地址
- 192.168.1.208 是伺服器的 LAN IP 地址
- 87.75.107.144 是路由器上的 WAN IP 地址(經過混淆處理)
- 埠 2202 正在通過 tcp 轉發到該伺服器上的 ssh 埠 22,埠 4003 正在轉發到伺服器上的 443
我認為路由器的行為是否正確並轉發數據包(例如“重傳”)是正確的嗎?
防火牆如下:
$ sudo iptables-save # Generated by iptables-save v1.6.0 on Fri Mar 15 20:37:38 2019 *nat :PREROUTING ACCEPT [3920:488137] :INPUT ACCEPT [2997:321060] :OUTPUT ACCEPT [2725:243307] :POSTROUTING ACCEPT [2735:246173] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -s 172.18.0.0/16 ! -o br-931904c155b2 -j MASQUERADE -A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 8181 -j MASQUERADE -A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 7878 -j MASQUERADE -A POSTROUTING -s 172.18.0.4/32 -d 172.18.0.4/32 -p tcp -m tcp --dport 8686 -j MASQUERADE -A POSTROUTING -s 172.18.0.5/32 -d 172.18.0.5/32 -p tcp -m tcp --dport 9000 -j MASQUERADE -A POSTROUTING -s 172.18.0.6/32 -d 172.18.0.6/32 -p tcp -m tcp --dport 8989 -j MASQUERADE -A POSTROUTING -s 172.18.0.7/32 -d 172.18.0.7/32 -p tcp -m tcp --dport 4040 -j MASQUERADE -A POSTROUTING -s 172.18.0.8/32 -d 172.18.0.8/32 -p tcp -m tcp --dport 8000 -j MASQUERADE -A POSTROUTING -s 172.18.0.8/32 -d 172.18.0.8/32 -p tcp -m tcp --dport 80 -j MASQUERADE -A DOCKER -i docker0 -j RETURN -A DOCKER -i br-931904c155b2 -j RETURN -A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 8181 -j DNAT --to-destination 172.18.0.2:8181 -A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 7878 -j DNAT --to-destination 172.18.0.3:7878 -A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 8686 -j DNAT --to-destination 172.18.0.4:8686 -A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 9001 -j DNAT --to-destination 172.18.0.5:9000 -A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 27021 -j DNAT --to-destination 172.18.0.6:8989 -A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 4040 -j DNAT --to-destination 172.18.0.7:4040 -A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 10001 -j DNAT --to-destination 172.18.0.8:8000 -A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 10000 -j DNAT --to-destination 172.18.0.8:80 COMMIT # Completed on Fri Mar 15 20:37:38 2019 # Generated by iptables-save v1.6.0 on Fri Mar 15 20:37:38 2019 *filter :INPUT ACCEPT [6374971:555022347] :FORWARD DROP [0:0] :OUTPUT ACCEPT [8882591:15858115582] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "Allow SSH" -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -m comment --comment "Allow HTTPS" -j ACCEPT -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -o br-931904c155b2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-931904c155b2 -j DOCKER -A FORWARD -i br-931904c155b2 ! -o br-931904c155b2 -j ACCEPT -A FORWARD -i br-931904c155b2 -o br-931904c155b2 -j ACCEPT -A DOCKER -d 172.18.0.2/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 8181 -j ACCEPT -A DOCKER -d 172.18.0.3/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 7878 -j ACCEPT -A DOCKER -d 172.18.0.4/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 8686 -j ACCEPT -A DOCKER -d 172.18.0.5/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 9000 -j ACCEPT -A DOCKER -d 172.18.0.6/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 8989 -j ACCEPT -A DOCKER -d 172.18.0.7/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 4040 -j ACCEPT -A DOCKER -d 172.18.0.8/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 8000 -j ACCEPT -A DOCKER -d 172.18.0.8/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i br-931904c155b2 ! -o br-931904c155b2 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -o br-931904c155b2 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN COMMIT # Completed on Fri Mar 15 20:37:38 2019路由表:
$ ip route 0.0.0.0/1 via 10.1.10.9 dev tun0 default via 192.168.1.1 dev eno1 onlink 10.1.10.1 via 10.1.10.9 dev tun0 10.1.10.9 dev tun0 proto kernel scope link src 10.1.10.10 128.0.0.0/1 via 10.1.10.9 dev tun0 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 172.18.0.0/16 dev br-931904c155b2 proto kernel scope link src 172.18.0.1 172.98.67.82 via 192.168.1.1 dev eno1 192.0.0.0/8 dev eno1 proto kernel scope link src 192.168.1.208 192.168.1.0/24 via 192.168.1.1 dev eno1
這
$$ TCP Retransmission $$表示數據包已發送,PC 仍然嘗試重新發送它,因為它沒有得到答复。 這通常意味著接收方沒有發回 AC 來確認數據已收到。
這可能是接收方的錯誤路由,因為接收方通常可能沒有返回您的 IP 196.52.84.14的路由
我建議從接收方調試,我建議 192.168.1.208 因為您可以在那裡輕鬆啟用數據包嗅探器。收集日誌並檢查遠端接收器是否知道到您的 VPN IP 的預設路由。
編輯 1
Wireshark 顯示機器得到了重傳,但它沒有應答。因此,請確保伺服器上的防火牆不會阻止該流量,winpcap/wireshark 在本地防火牆丟棄這些數據包之前擷取入站數據包。