我有一台安装了 OpenWRT 12.09“态度调整”的 Netgear WR703N 无线路由器,连接到学校的以太网网络,我们的 IT 部门发送电子邮件提醒我,它“正在使用未分配给其使用的 IP 源地址传输流量”。
为了了解问题,我使用 WireShark(在具有两个桥接以太网接口的 PC 上运行)来捕获往返于路由器 WAN 端口的所有流量。
172.31.252.0/24路由器配置为为其 LAN提供 DHCP 地址。在此会话期间,其 WAN IP 地址为128.112.84.131。显示过滤器设置为eth.addr == [WAN MAC address] and not (ip.addr == [WAN IP]),以过滤掉来自(或发往)我的路由器的 WAN 接口但不包含其 WAN IP 地址的数据包。结果如下(实际 MAC 地址已删除):
No. Time Source Source MAC Destination Dest MAC Protocol Length Info
3721 110.017401000 0.0.0.0 Tp-LinkT_ff:ff:ff 255.255.255.255 Broadcast DHCP 393 DHCP Discover - Transaction ID 0x6f5ef88b
3726 110.021627000 128.112.133.220 Cisco_ee:ee:ee 128.112.85.26 Tp-LinkT_ff:ff:ff ICMP 98 Echo (ping) request id=0x07ea, seq=1917/32007, ttl=253
3727 110.021831000 128.112.84.1 Cisco_ee:ee:ee 128.112.85.26 Tp-LinkT_ff:ff:ff DHCP 436 DHCP Offer - Transaction ID 0x6f5ef88b
3728 110.022513000 0.0.0.0 Tp-LinkT_ff:ff:ff 255.255.255.255 Broadcast DHCP 405 DHCP Request - Transaction ID 0x6f5ef88b
13399 511.164980000 74.125.131.139 Tp-LinkT_ff:ff:ff 100.145.36.223 Cisco_ee:ee:ee TCP 54 https > 60697 [RST] Seq=1 Win=0 Len=0
13406 511.174715000 74.125.131.188 Tp-LinkT_ff:ff:ff 100.145.36.223 Cisco_ee:ee:ee TCP 54 hpvroom > 54853 [RST] Seq=1 Win=0 Len=0
13412 511.247461000 74.125.131.188 Tp-LinkT_ff:ff:ff 100.145.36.223 Cisco_ee:ee:ee TCP 54 hpvroom > 54853 [RST] Seq=348 Win=0 Len=0
13415 511.459710000 74.125.131.139 Tp-LinkT_ff:ff:ff 100.145.36.223 Cisco_ee:ee:ee TCP 54 https > 60697 [RST] Seq=1 Win=0 Len=0
13440 511.731825000 74.125.131.188 Tp-LinkT_ff:ff:ff 100.145.36.223 Cisco_ee:ee:ee TCP 54 hpvroom > 54853 [RST] Seq=348 Win=0 Len=0
13487 512.052710000 74.125.131.139 Tp-LinkT_ff:ff:ff 100.145.36.223 Cisco_ee:ee:ee TCP 54 https > 60697 [RST] Seq=1 Win=0 Len=0
13493 512.122466000 74.125.131.188 Tp-LinkT_ff:ff:ff 100.145.36.223 Cisco_ee:ee:ee TCP 54 hpvroom > 54853 [RST] Seq=348 Win=0 Len=0
13500 512.159712000 74.125.131.139 Tp-LinkT_ff:ff:ff 100.145.36.223 Cisco_ee:ee:ee TCP 54 https > 60697 [RST] Seq=1 Win=0 Len=0
13537 512.522715000 100.145.36.223 Tp-LinkT_ff:ff:ff 74.125.131.188 Cisco_ee:ee:ee TCP 93 [TCP ACKed unseen segment] 54853 > hpvroom [FIN, PSH, ACK] Seq=1 Ack=348 Win=1357 Len=27 TSval=734000 TSecr=2909129314
13544 512.674464000 100.145.36.223 Tp-LinkT_ff:ff:ff 74.125.131.188 Cisco_ee:ee:ee TCP 189 [TCP Retransmission] 54853 > hpvroom [FIN, PSH, ACK] Seq=4294967201 Ack=348 Win=1357 Len=123 TSval=734016 TSecr=2909129314
13591 512.927091000 74.125.131.188 Tp-LinkT_ff:ff:ff 100.145.36.223 Cisco_ee:ee:ee TCP 54 hpvroom > 54853 [RST] Seq=349 Win=0 Len=0
13602 513.258968000 74.125.131.139 Tp-LinkT_ff:ff:ff 100.145.36.223 Cisco_ee:ee:ee TCP 54 https > 60697 [RST] Seq=1 Win=0 Len=0
13642 514.640598000 100.145.36.223 Tp-LinkT_ff:ff:ff 74.125.131.188 Cisco_ee:ee:ee TCP 189 [TCP ACKed unseen segment] [TCP Retransmission] 54853 > hpvroom [FIN, PSH, ACK] Seq=4294967201 Ack=349 Win=1357 Len=123 TSval=734212 TSecr=2909130121
18007 685.005464000 Cisco_ee:ee:ee Cisco_ee:ee:ee Tp-LinkT_ff:ff:ff Tp-LinkT_ff:ff:ff ARP 60 Who has 128.112.84.131? Tell 128.112.84.1
18008 685.005643000 Tp-LinkT_ff:ff:ff Tp-LinkT_ff:ff:ff Cisco_ee:ee:ee Cisco_ee:ee:ee ARP 60 128.112.84.131 is at ec:88:8f:ff:ff:ff
18012 685.136301000 Cisco_ee:ee:ee Cisco_ee:ee:ee Tp-LinkT_ff:ff:ff Tp-LinkT_ff:ff:ff ARP 60 Who has 128.112.85.26? Tell 128.112.84.1
18116 689.070537000 58.17.52.14 Cisco_ee:ee:ee 128.112.85.26 Tp-LinkT_ff:ff:ff ICMP 78 Echo (ping) request id=0x300c, seq=0/0, ttl=40
19496 745.150864000 Cisco_ee:ee:ee Cisco_ee:ee:ee Tp-LinkT_ff:ff:ff Tp-LinkT_ff:ff:ff ARP 60 Who has 128.112.85.26? Tell 128.112.84.1
30283 1224.998095000 Cisco_ee:ee:ee Cisco_ee:ee:ee Tp-LinkT_ff:ff:ff Tp-LinkT_ff:ff:ff ARP 60 Who has 128.112.84.131? Tell 128.112.84.1
30284 1224.998246000 Tp-LinkT_ff:ff:ff Tp-LinkT_ff:ff:ff Cisco_ee:ee:ee Cisco_ee:ee:ee ARP 60 128.112.84.131 is at ec:88:8f:ff:ff:ff
42190 1732.009084000 100.185.169.31 Tp-LinkT_ff:ff:ff 103.7.31.151 Cisco_ee:ee:ee TCP 54 58291 > https [FIN, ACK] Seq=1 Ack=1 Win=1357 Len=0
42285 1733.097086000 100.185.169.31 Tp-LinkT_ff:ff:ff 103.7.31.151 Cisco_ee:ee:ee TCP 54 [TCP Retransmission] 58291 > https [FIN, ACK] Seq=1 Ack=1 Win=1357 Len=0
42347 1735.277968000 100.185.169.31 Tp-LinkT_ff:ff:ff 103.7.31.151 Cisco_ee:ee:ee TCP 54 [TCP Retransmission] 58291 > https [FIN, ACK] Seq=1 Ack=1 Win=1357 Len=0
43141 1764.992183000 Cisco_ee:ee:ee Cisco_ee:ee:ee Tp-LinkT_ff:ff:ff Tp-LinkT_ff:ff:ff ARP 60 Who has 128.112.84.131? Tell 128.112.84.1
43142 1764.992460000 Tp-LinkT_ff:ff:ff Tp-LinkT_ff:ff:ff Cisco_ee:ee:ee Cisco_ee:ee:ee ARP 60 128.112.84.131 is at ec:88:8f:ff:ff:ff
55031 2304.982717000 Cisco_ee:ee:ee Cisco_ee:ee:ee Tp-LinkT_ff:ff:ff Tp-LinkT_ff:ff:ff ARP 60 Who has 128.112.84.131? Tell 128.112.84.1
55032 2304.982956000 Tp-LinkT_ff:ff:ff Tp-LinkT_ff:ff:ff Cisco_ee:ee:ee Cisco_ee:ee:ee ARP 60 128.112.84.131 is at ec:88:8f:ff:ff:ff
70170 2844.995066000 Cisco_ee:ee:ee Cisco_ee:ee:ee Tp-LinkT_ff:ff:ff Tp-LinkT_ff:ff:ff ARP 60 Who has 128.112.84.131? Tell 128.112.84.1
71453 2904.997024000 Cisco_ee:ee:ee Cisco_ee:ee:ee Tp-LinkT_ff:ff:ff Tp-LinkT_ff:ff:ff ARP 60 Who has 128.112.84.131? Tell 128.112.84.1
72688 2964.972284000 Cisco_ee:ee:ee Cisco_ee:ee:ee Tp-LinkT_ff:ff:ff Tp-LinkT_ff:ff:ff ARP 60 Who has 128.112.84.131? Tell 128.112.84.1
可以看出,数据包 13399-13642 和 42190-42347 确实来自我的路由器,并且源 IP 与其分配的 WAN IP 不同。当我的 Android 手机连接到不同的无线网络时,两次数据包突发都是触发的,切换到路由器的无线网络。(这个其他无线网络从 分配 IP 10.8.*.*。)第二次发生这种情况时,我正盯着手机,注意到在建立 WiFi 连接时信号条短暂地闪烁“H”,因此看起来手机在切换 WiFi 网络时一瞬间连接到了蜂窝数据网络。
我还尝试以不同的方式在路由器的无线网络、其他无线网络和蜂窝网络之间切换,但无法可靠地触发无效数据包。
在阅读了一些关于“NAT泄漏”的在线资料后,我在捕获之前将以下命令放入我的防火墙脚本中并在中验证了它的存在iptables -t filter -L,但这没有帮助。
iptables -t filter -I FORWARD -o wan -m conntrack --ctstate INVALID -j DROP
所以,我的问题是:
这件事是怎么发生的?为什么会发生?这些数据包来自哪里?我应该如何进一步调查?
我如何防止这些数据包传出 WAN 接口?
如果您需要更多信息,请告诉我。