测试隧道 - tcpdump?

测试隧道 - tcpdump?

我在服务器上有以下 stunnel 配置:

chroot = /var/run/stunnel
setuid = nobody
setgid = nobody

pid = /stunnel.pid

cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem
client = no

[https]
accept = 443
connect = 10051

客户端:

chroot = /var/run/stunnel
setuid = nobody
setgid = nobody

pid = /stunnel.pid

cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem
client = yes

[https]
accept = 127.0.0.1:10051
connect = 10.0.10.116:443

当我在每台机器上运行“sudo stunnel”时,我没有收到任何错误。在客户端上运行以下命令来测试隧道,我什么也没得到?

tcpdump port 10051 -n -vvvv

其次是:

echo "blah" > nc localhost 10051

我是否滥用了“tcpdump”?还有另一种方法可以测试这个吗?我使用的是 Centos 7。服务器 IP 地址是 10.0.10.116,客户端 IP 地址是 10.0.10.27,这是一个带有自签名证书的测试实验室设置。

我应该补充一点,如果我使用 sudo 发出上面的 tcpdump 命令:

sudo tcpdump port 10051 -n -vvvv

我得到以下信息,然后什么也没有:

tcpdump: NFLOG link-layer type filtering not implemented

不确定这告诉我什么?

答案1

好吧,我已经让它和一些周一起工作了。我决定尝试使用 ssh,而不是使用 tcpdump。所以我将服务器上的连接更改为:

...
[https]
accept =  443
connect = 22
...

然后我输入

ssh localhost -p 10051

回来了

chuck@scorch:~$ ssh chuck@localhost -p 10051
The authenticity of host '[localhost]:10051 ([127.0.0.1]:10051)' can't be 
established.
ECDSA key fingerprint is SHA256:DcEUrtP7I5KJqaZIfsTK+2lNB8AF00Je97z9obNneac.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '[localhost]:10051' (ECDSA) to the list of known 
hosts.
chuck@localhost's password:
Welcome to Ubuntu 17.04 (GNU/Linux 4.10.0-19-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 * What are your preferred Linux desktop apps?  Help us set the default
desktop apps in Ubuntu 18.04 LTS:
- https://ubu.one/apps1804

11 packages can be updated.
8 updates are security updates.


Last login: Tue Oct  3 15:36:24 2017 from 10.0.10.60
chuck@ion:~$

请注意,登录现在显示“ion”,我通过 ssh 与 https 移植到服务器上。日志显示

2017.10.03 15:38:00 LOG7[0]: Service [https] started
2017.10.03 15:38:00 LOG7[0]: Option TCP_NODELAY set on local socket
2017.10.03 15:38:00 LOG5[0]: Service [https] accepted connection from   
10.0.10.27:36976
2017.10.03 15:38:00 LOG6[0]: Peer certificate not required
2017.10.03 15:38:00 LOG7[0]: TLS state (accept): before/accept 
initialization
2017.10.03 15:38:00 LOG7[0]: Get session callback
2017.10.03 15:38:00 LOG7[0]: SNI: no virtual services defined
2017.10.03 15:38:00 LOG7[0]: New session callback
2017.10.03 15:38:00 LOG7[0]:      1 server accept(s) requested
2017.10.03 15:38:00 LOG7[0]:      1 server accept(s) succeeded
2017.10.03 15:38:00 LOG7[0]:      0 server renegotiation(s) requested
2017.10.03 15:38:00 LOG7[0]:      0 session reuse(s)
2017.10.03 15:38:00 LOG7[0]:      0 internal session cache item(s)
2017.10.03 15:38:00 LOG7[0]:      0 internal session cache fill-up(s)
2017.10.03 15:38:00 LOG7[0]:      1 internal session cache miss(es)
2017.10.03 15:38:00 LOG7[0]:      0 external session cache hit(s)
2017.10.03 15:38:00 LOG7[0]:      0 expired session(s) retrieved
2017.10.03 15:38:00 LOG6[0]: TLS accepted: new session negotiated
2017.10.03 15:38:00 LOG6[0]: No peer certificate received
2017.10.03 15:38:00 LOG6[0]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-
AES256-GCM-SHA384 (256-bit encryption)
2017.10.03 15:38:00 LOG7[0]: Compression: null, expansion: null
2017.10.03 15:38:00 LOG6[0]: failover: round-robin, starting at entry #1
2017.10.03 15:38:00 LOG6[0]: s_connect: connecting 127.0.0.1:22
2017.10.03 15:38:00 LOG7[0]: s_connect: s_poll_wait 127.0.0.1:22: waiting 10 
seconds
2017.10.03 15:38:00 LOG5[0]: s_connect: connected 127.0.0.1:22
2017.10.03 15:38:00 LOG6[0]: persistence: 127.0.0.1:22 cached
2017.10.03 15:38:00 LOG5[0]: Service [https] connected remote server from 
127.0.0.1:54818
2017.10.03 15:38:00 LOG7[0]: Option TCP_NODELAY set on remote socket
2017.10.03 15:38:00 LOG7[0]: Remote descriptor (FD=9) initialized

所以我知道它可以在 Ubuntu 上运行。我注意到在安装 stunnel 的过程中它会自动创建一个“stunnel4”用户、组和服务。所以我想我需要在 Centos 上尝试一下,看看会发生什么。

我终于让它在 Centos 上运行了。原来我以为我已经关闭了防火墙,但实际上并没有。将适当的端口添加到防火墙解决了问题。但是我仍然无法让 tcpdump 工作......

答案2

如果尝试使用 '-i lo' 的 tcpdump 在环回接口上进行嗅探会怎样:

tcpdump -i lo -n -v port 10051

相关内容