Linux-Networking

代理服務僅響應某些 IP 地址(其他的則使用 SYN_RECV)

  • May 23, 2020

我有一個使用代理服務(WAF 等)的伺服器,它將數據包轉發到我的伺服器。

我可以從所有代理中看到已建立netstat -an的 SSL 連接,其餘的則卡在 SYN_RECV 中:

tcp        0      0 192.168.102.11:443      185.93.230.20:64966     SYN_RECV
tcp        0      0 192.168.102.11:443      192.88.135.20:8306      SYN_RECV
tcp        0      0 192.168.102.11:443      66.248.202.20:10750     SYN_RECV
tcp        0      0 192.168.102.11:443      185.93.230.20:2213      SYN_RECV
tcp        0      0 192.168.102.11:443      66.248.202.20:7494      SYN_RECV
tcp        0      0 192.168.102.11:443      185.93.231.20:32752     ESTABLISHED
tcp        0      0 192.168.102.11:443      185.93.231.20:31910     ESTABLISHED

我可以看到流量tcpdump port 443 and '(tcp-syn|tcp-ack)!=0' -nn

為了185.93.231.20.2139

20:36:35.263777 IP 192.168.102.11.443 > 185.93.231.20.2139: Flags [FP.], seq 203642186:203642217, ack 1968471817, win 258, options [nop,nop,TS val 32827456 ecr 876705214], length 31
20:36:36.901357 IP 192.168.102.11.443 > 185.93.231.20.2137: Flags [P.], seq 418165034:418165065, ack 2875697257, win 258, options [nop,nop,TS val 32829093 ecr 876704135], length 31

為了185.93.230.20

20:36:49.098560 IP 185.93.230.20.20721 > 192.168.102.11.443: Flags [S], seq 2855805773, win 29200, options [mss 1460,sackOK,TS val 882921029 ecr 0,nop,wscale 9], length 0
20:36:49.098638 IP 192.168.102.11.443 > 185.93.230.20.20721: Flags [S.], seq 268496949, ack 2855805774, win 28960, options [mss 1460,sackOK,TS val 32841290 ecr 882921029,nop,wscale 7], length 0

對於66.248.202.20

20:37:02.042048 IP 66.248.202.20.49557 > 192.168.102.11.443: Flags [S], seq 3837436386, win 29200, options [mss 1460,sackOK,TS val 791596242 ecr 0,nop,wscale 9], length 0
20:37:02.042116 IP 192.168.102.11.443 > 66.248.202.20.49557: Flags [S.], seq 2339555392, ack 3837436387, win 28960, options [mss 1460,sackOK,TS val 32854234 ecr 791596242,nop,wscale 7], length 0

對於192.88.135.20

20:36:39.595087 IP 185.93.228.20.23354 > 192.168.102.11.443: Flags [S], seq 1334433323, win 29200, options [mss 1460,sackOK,TS val 274977072 ecr 0,nop,wscale 9], length 0
20:36:39.595120 IP 192.168.102.11.443 > 185.93.228.20.23354: Flags [S.], seq 1203016390, ack 1334433324, win 28960, options [mss 1460,sackOK,TS val 32831787 ecr 274970056,nop,wscale 7], length 

但只有來自185.93.231.20的流量才會登錄到 domlogs:

185.93.231.20 - - [22/May/2020:19:55:37 +0400] "GET /blog/video-gallery/ HTTP/1.1" 200 12716 "https://www.example.com/blog/publications/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" 747893
185.93.231.20 - - [22/May/2020:19:55:39 +0400] "GET /wp-content/uploads/2020/02/Thumbnail72.jpg HTTP/1.1" 200 181941 "https://www.example.com/blog/video-gallery/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" 1283052
185.93.231.20 - - [22/May/2020:19:55:39 +0400] "GET /wp-content/uploads/2020/02/Thumbnail68.jpg HTTP/1.1" 200 180934 "https://www.example.com/blog/video-gallery/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" 952373

關於下一步檢查什麼的任何想法?我已禁用所有防火牆規則並確保 NAT 在 WAN 和主機(入站和出站)之間正常工作 - 沒有發生任何配置更改,這只是停止工作。

結果證明這是一個不對稱的路由問題,因為數據包可以到達伺服器但網路無法返回它們(由於路由故障)。

netstat部分連接卡住並SYN_RECV返回tcpdump標誌

  • [S]從遠端伺服器入站到我們SYN建立連接
  • [S.]我們回复遠端伺服器以SYN+ACK建立連接請求

SYN這是在伺服器上通過來自遠端伺服器的以下請求辨識的:

20:36:49.098560 IP 185.93.230.20.20721 > 192.168.102.11.443: Flags [S], seq 2855805773, win 29200, options [mss 1460,sackOK,TS val 882921029 ecr 0,nop,wscale 9], length 0

這使套接字進入半開狀態:

tcp        0      0 192.168.102.11:443      185.93.230.20:64966     SYN_RECV

然後我們回應(注意標誌的S.含義SYN+ACK):

20:36:49.098638 IP 192.168.102.11.443 > 185.93.230.20.20721: Flags [S.], seq 268496949, ack 2855805774, win 28960, options [mss 1460,sackOK,TS val 32841290 ecr 882921029,nop,wscale 7], length 0

但這永遠不會到達遠端伺服器,因此它永遠不會反過來響應進一步的數據包,這些數據包將完成握手並將套接字設置為ESTABLISHED.

這已由 ISP 和相關的對手方解決,以解決路由問題。

這也可能表明防火牆丟棄了數據包或配置錯誤的 NAT 規則,這些在聯繫 ISP 之前已被排除。

引用自:https://serverfault.com/questions/1018268