我正在使用 socat 将 UDP 流量从一个端口转发到另一个端口,命令如下:
socat -T5 UDP4-LISTEN:12345,reuseaddr,fork UDP4:127.0.0.1:23456,bind=127.0.0.2,so-bindtodevice=lo
我使用 netcat 进行测试,运行nc -u -l -p 23456 -vv
并echo test | nc -u 127.0.0.1 12345
。这给了我以下意外的输出:
listening on [any] 23456 ...
connect to [<myPublicIp>] from <hostname> [<myPublicIp>] 53995
test
我本以为会看到的是 ,而不是<myPublicIp>
源地址127.0.0.2
。我是不是对网络有什么误解,还是我使用 socat 的方式不对?
受影响的服务器运行的是Debian 10,Linux内核版本为4.19.0-13-amd64,socat版本为1.7.3.2。
编辑: 当使用 TCP 时,输出略有不同:
listening on [any] 23456 ...
connect to [127.0.0.1] from <hostname> [<myPublicIp>] 48520
test
根据要求,相关输出netstat -aun
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:12345 0.0.0.0:*
udp 0 0 <myPublicIp>:23456 <myPublicIp>:54299 ESTABLISHED
udp 0 0 127.0.0.1:33156 127.0.0.1:12345 ESTABLISHED
编辑2:我可以确认,在全新安装的 Debian 上不会发生这种情况。此外,我还尝试了其他一些方法:
使用创建另一个接口隧道,并让 socat 使用该接口。执行的命令是:
tunctl
ifconfig tap1 192.168.10.1 netmask 255.255.255.255 up
socat -T5 UDP4-LISTEN:12345,reuseaddr,fork UDP4:127.0.0.1:23456,bind=192.168.10.1,so-bindtodevice=tap1
我观察到的行为与上面的 UDP 示例完全相同;所有请求似乎都源自<myPublicIp>
。
另外,我尝试使用这种方法创建更多环回地址。
ifconfig lo:10 192.168.10.1 netmask 255.255.255.0 up
socat -T5 UDP4-LISTEN:12345,reuseaddr,fork UDP4:127.0.0.1:23456,bind=192.168.10.1
这确实有效,请求似乎来自192.168.10.1
。使用
socat -T5 UDP4-LISTEN:12345,reuseaddr,fork UDP4:127.0.0.1:23456,bind=192.168.10.2
(不同的绑定地址)不起作用,请求现在源自192.168.10.1
。
创建多个别名lo
也不起作用。
ifconfig lo:1 192.168.10.1 netmask 255.255.255.255 up
ifconfig lo:2 192.168.10.2 netmask 255.255.255.255 up
ifconfig lo:3 192.168.10.3 netmask 255.255.255.255 up
尝试使用其中任何一个接口都会导致所有请求都来自第一个创建的接口。在本例中是192.168.10.1
。删除lo:1
会导致所有请求都来自192.168.10.2
。重新添加 后lo:1
,请求仍将来自192.168.10.2
,因为目前lo:2
是“最旧”的接口别名。
编辑3:
防火墙规则(按要求)。enp35s0
是我的公共界面。
# Generated by xtables-save v1.8.2 on Fri Jul 23 12:15:33 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-USER - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
-A INPUT -i enp35s0 -p udp -m state --state NEW -m udp --dport 1195 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i enp35s0 -p udp -m state --state NEW -m udp --dport 1195 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i enp35s0 -p udp -m state --state NEW -m udp --dport 1195 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i enp35s0 -p udp -m state --state NEW -m udp --dport 1195 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i enp35s0 -p udp -m state --state NEW -m udp --dport 1195 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-d83e4273341d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-d83e4273341d -j DOCKER
-A FORWARD -i br-d83e4273341d ! -o br-d83e4273341d -j ACCEPT
-A FORWARD -i br-d83e4273341d -o br-d83e4273341d -j ACCEPT
-A FORWARD -o br-adf3fed056db -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-adf3fed056db -j DOCKER
-A FORWARD -i br-adf3fed056db ! -o br-adf3fed056db -j ACCEPT
-A FORWARD -i br-adf3fed056db -o br-adf3fed056db -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp35s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp35s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp35s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp35s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o enp35s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp35s0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A DOCKER -d 172.18.0.4/32 ! -i br-adf3fed056db -o br-adf3fed056db -p tcp -m tcp --dport 8048 -j ACCEPT
-A DOCKER -d 172.18.0.4/32 ! -i br-adf3fed056db -o br-adf3fed056db -p tcp -m tcp --dport 8008 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-adf3fed056db -o br-adf3fed056db -p tcp -m tcp --dport 9005 -j ACCEPT
-A DOCKER -d 172.18.0.8/32 ! -i br-adf3fed056db -o br-adf3fed056db -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.18.0.10/32 ! -i br-adf3fed056db -o br-adf3fed056db -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.18.0.11/32 ! -i br-adf3fed056db -o br-adf3fed056db -p tcp -m tcp --dport 8090 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49172 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49171 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49170 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49169 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49168 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49167 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49166 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49165 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49164 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49163 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49162 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49161 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49160 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49159 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49158 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49157 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49156 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49155 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49154 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49153 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 49152 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p tcp -m tcp --dport 5349 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 5349 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p tcp -m tcp --dport 3478 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-d83e4273341d -o br-d83e4273341d -p udp -m udp --dport 3478 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-d83e4273341d ! -o br-d83e4273341d -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-adf3fed056db ! -o br-adf3fed056db -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-USER -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-d83e4273341d -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-adf3fed056db -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
COMMIT
# Completed on Fri Jul 23 12:15:33 2021
# Generated by xtables-save v1.8.2 on Fri Jul 23 12:15:33 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -p tcp -m tcp --dport 12348 -j DNAT --to-destination 10.9.0.11:62128
-A PREROUTING -p tcp -m tcp --dport 12348 -j DNAT --to-destination 10.9.0.11:62128
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -p tcp -m tcp --dport 12348 -j DNAT --to-destination 10.9.0.11:62128
-A PREROUTING -p tcp -m tcp --dport 12348 -j DNAT --to-destination 10.9.0.11:62128
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-d83e4273341d -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-adf3fed056db -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o enp35s0 -j MASQUERADE
-A POSTROUTING -s 10.9.0.0/24 -o enp35s0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o enp35s0 -j MASQUERADE
-A POSTROUTING -s 10.9.0.0/24 -o enp35s0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -s 172.18.0.4/32 -d 172.18.0.4/32 -p tcp -m tcp --dport 8048 -j MASQUERADE
-A POSTROUTING -s 172.18.0.4/32 -d 172.18.0.4/32 -p tcp -m tcp --dport 8008 -j MASQUERADE
-A POSTROUTING -s 172.18.0.5/32 -d 172.18.0.5/32 -p tcp -m tcp --dport 9005 -j MASQUERADE
-A POSTROUTING -s 172.18.0.8/32 -d 172.18.0.8/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.18.0.10/32 -d 172.18.0.10/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.18.0.11/32 -d 172.18.0.11/32 -p tcp -m tcp --dport 8090 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49172 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49171 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49170 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49169 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49168 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49167 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49166 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49165 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49164 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49163 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49162 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49161 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49160 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49159 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49158 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49157 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49156 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49155 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49154 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49153 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 49152 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p tcp -m tcp --dport 5349 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 5349 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p tcp -m tcp --dport 3478 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p udp -m udp --dport 3478 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o enp35s0 -j MASQUERADE
-A POSTROUTING -s 10.9.0.0/24 -o enp35s0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o enp35s0 -j MASQUERADE
-A POSTROUTING -s 10.9.0.0/24 -o enp35s0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o enp35s0 -j MASQUERADE
-A POSTROUTING -s 10.9.0.0/24 -o enp35s0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-d83e4273341d -j RETURN
-A DOCKER -i br-adf3fed056db -j RETURN
-A DOCKER -d 127.0.0.1/32 ! -i br-adf3fed056db -p tcp -m tcp --dport 8048 -j DNAT --to-destination 172.18.0.4:8048
-A DOCKER -d 127.0.0.1/32 ! -i br-adf3fed056db -p tcp -m tcp --dport 8008 -j DNAT --to-destination 172.18.0.4:8008
-A DOCKER -d 127.0.0.1/32 ! -i br-adf3fed056db -p tcp -m tcp --dport 9005 -j DNAT --to-destination 172.18.0.5:9005
-A DOCKER -d 127.0.0.1/32 ! -i br-adf3fed056db -p tcp -m tcp --dport 9006 -j DNAT --to-destination 172.18.0.8:8080
-A DOCKER -d 127.0.0.1/32 ! -i br-adf3fed056db -p tcp -m tcp --dport 8765 -j DNAT --to-destination 172.18.0.10:8080
-A DOCKER -d 127.0.0.1/32 ! -i br-adf3fed056db -p tcp -m tcp --dport 8090 -j DNAT --to-destination 172.18.0.11:8090
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49172 -j DNAT --to-destination 172.19.0.2:49172
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49171 -j DNAT --to-destination 172.19.0.2:49171
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49170 -j DNAT --to-destination 172.19.0.2:49170
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49169 -j DNAT --to-destination 172.19.0.2:49169
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49168 -j DNAT --to-destination 172.19.0.2:49168
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49167 -j DNAT --to-destination 172.19.0.2:49167
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49166 -j DNAT --to-destination 172.19.0.2:49166
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49165 -j DNAT --to-destination 172.19.0.2:49165
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49164 -j DNAT --to-destination 172.19.0.2:49164
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49163 -j DNAT --to-destination 172.19.0.2:49163
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49162 -j DNAT --to-destination 172.19.0.2:49162
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49161 -j DNAT --to-destination 172.19.0.2:49161
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49160 -j DNAT --to-destination 172.19.0.2:49160
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49159 -j DNAT --to-destination 172.19.0.2:49159
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49158 -j DNAT --to-destination 172.19.0.2:49158
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49157 -j DNAT --to-destination 172.19.0.2:49157
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49156 -j DNAT --to-destination 172.19.0.2:49156
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49155 -j DNAT --to-destination 172.19.0.2:49155
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49154 -j DNAT --to-destination 172.19.0.2:49154
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49153 -j DNAT --to-destination 172.19.0.2:49153
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 49152 -j DNAT --to-destination 172.19.0.2:49152
-A DOCKER ! -i br-d83e4273341d -p tcp -m tcp --dport 5349 -j DNAT --to-destination 172.19.0.2:5349
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 5349 -j DNAT --to-destination 172.19.0.2:5349
-A DOCKER ! -i br-d83e4273341d -p tcp -m tcp --dport 3478 -j DNAT --to-destination 172.19.0.2:3478
-A DOCKER ! -i br-d83e4273341d -p udp -m udp --dport 3478 -j DNAT --to-destination 172.19.0.2:3478
COMMIT
# Completed on Fri Jul 23 12:15:33 2021
# Generated by xtables-save v1.8.2 on Fri Jul 23 12:15:33 2021
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Fri Jul 23 12:15:33 2021
输出ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp35s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a8:a1:59:48:f5:da brd ff:ff:ff:ff:ff:ff
inet <myPublicIPv4>/26 brd 135.181.209.63 scope global enp35s0
valid_lft forever preferred_lft forever
inet6 <myPublicIPv6>/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::aaa1:59ff:fe48:f5da/64 scope link
valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:f4:2e:c5:95 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:f4ff:fe2e:c595/64 scope link
valid_lft forever preferred_lft forever
6: br-adf3fed056db: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:4b:fd:ae:6f brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-adf3fed056db
valid_lft forever preferred_lft forever
inet6 fe80::42:4bff:fefd:ae6f/64 scope link
valid_lft forever preferred_lft forever
216865: veth225712d@if216864: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-d83e4273341d state UP group default
link/ether 32:65:78:a0:be:47 brd ff:ff:ff:ff:ff:ff link-netnsid 10
inet6 fe80::3065:78ff:fea0:be47/64 scope link
valid_lft forever preferred_lft forever
61: br-d83e4273341d: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c4:38:c9:c5 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-d83e4273341d
valid_lft forever preferred_lft forever
inet6 fe80::42:c4ff:fe38:c9c5/64 scope link
valid_lft forever preferred_lft forever
202134: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/ether 36:e7:1a:1f:b5:c8 brd ff:ff:ff:ff:ff:ff
inet 10.9.0.1/24 brd 10.9.0.255 scope global tap0
valid_lft forever preferred_lft forever
inet6 fe80::34e7:1aff:fe1f:b5c8/64 scope link
valid_lft forever preferred_lft forever
202135: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::cc13:3dec:ab8c:2e3b/64 scope link stable-privacy
valid_lft forever preferred_lft forever
88033: veth0949050@if88032: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-adf3fed056db state UP group default
link/ether 1e:e0:14:92:f3:ad brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::1ce0:14ff:fe92:f3ad/64 scope link
valid_lft forever preferred_lft forever
88035: veth5621bc2@if88034: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-adf3fed056db state UP group default
link/ether 66:a7:77:bd:d0:ca brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::64a7:77ff:febd:d0ca/64 scope link
valid_lft forever preferred_lft forever
88037: veth00b963e@if88036: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-adf3fed056db state UP group default
link/ether e6:18:ec:30:5c:a6 brd ff:ff:ff:ff:ff:ff link-netnsid 3
inet6 fe80::e418:ecff:fe30:5ca6/64 scope link
valid_lft forever preferred_lft forever
88041: vethda3acd6@if88040: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-adf3fed056db state UP group default
link/ether 3a:ad:d7:6c:fa:cb brd ff:ff:ff:ff:ff:ff link-netnsid 4
inet6 fe80::38ad:d7ff:fe6c:facb/64 scope link
valid_lft forever preferred_lft forever
88043: veth2f937b7@if88042: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-adf3fed056db state UP group default
link/ether ea:9e:65:d9:9a:f3 brd ff:ff:ff:ff:ff:ff link-netnsid 5
inet6 fe80::e89e:65ff:fed9:9af3/64 scope link
valid_lft forever preferred_lft forever
88045: vethac132e2@if88044: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-adf3fed056db state UP group default
link/ether e2:46:7e:4f:71:52 brd ff:ff:ff:ff:ff:ff link-netnsid 6
inet6 fe80::e046:7eff:fe4f:7152/64 scope link
valid_lft forever preferred_lft forever
88049: vethe8f0958@if88048: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-adf3fed056db state UP group default
link/ether 9a:e9:40:f1:4d:6b brd ff:ff:ff:ff:ff:ff link-netnsid 7
inet6 fe80::98e9:40ff:fef1:4d6b/64 scope link
valid_lft forever preferred_lft forever
88053: vethf57e351@if88052: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-adf3fed056db state UP group default
link/ether 6a:52:e2:51:c5:7d brd ff:ff:ff:ff:ff:ff link-netnsid 2
inet6 fe80::6852:e2ff:fe51:c57d/64 scope link
valid_lft forever preferred_lft forever
88055: vethec5ddd0@if88054: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-adf3fed056db state UP group default
link/ether 76:69:ec:ce:e7:f8 brd ff:ff:ff:ff:ff:ff link-netnsid 8
inet6 fe80::7469:ecff:fece:e7f8/64 scope link
valid_lft forever preferred_lft forever
88057: veth473fda8@if88056: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-adf3fed056db state UP group default
link/ether 36:48:f4:47:26:81 brd ff:ff:ff:ff:ff:ff link-netnsid 9
inet6 fe80::3448:f4ff:fe47:2681/64 scope link
valid_lft forever preferred_lft forever
编辑4:
根据 Trolzen 的答案输出
# socat -d -d UDP-RECVFROM:23456,fork -2021/08/12 12:12:07 socat[4506] N receiving on AF=2 0.0.0.0:23456
2021/08/12 12:12:11 socat[4506] N receiving packet from AF=2 <myPublicIp>:47228
2021/08/12 12:12:11 socat[4506] N forked off child process 4510
2021/08/12 12:12:11 socat[4510] N reading from and writing to stdio
2021/08/12 12:12:11 socat[4510] N starting data transfer loop with FDs [5,5] and [0,1]
2021/08/12 12:12:11 socat[4510] N received packet with 5 bytes from AF=2 <myPublicIp>:47228
test
2021/08/12 12:12:11 socat[4510] N socket 1 (fd 5) is at EOF
2021/08/12 12:12:11 socat[4506] N receiving on AF=2 0.0.0.0:23456
2021/08/12 12:12:12 socat[4510] N exiting with status 0
2021/08/12 12:12:12 socat[4506] N receiving on AF=2 0.0.0.0:23456
# socat -d -d -T.5 UDP-LISTEN:23456,fork -
2021/08/12 12:15:20 socat[4811] N listening on UDP AF=2 0.0.0.0:23456
2021/08/12 12:15:23 socat[4811] N accepting UDP connection from AF=2 <myPublicIp>:55887
2021/08/12 12:15:23 socat[4811] N forked off child process 4817
2021/08/12 12:15:23 socat[4811] N listening on UDP AF=2 0.0.0.0:23456
2021/08/12 12:15:23 socat[4817] N reading from and writing to stdio
2021/08/12 12:15:23 socat[4817] N starting data transfer loop with FDs [5,5] and [0,1]
test
2021/08/12 12:15:23 socat[4817] N inactivity timeout triggered
2021/08/12 12:15:23 socat[4817] N exiting with status 0
2021/08/12 12:15:23 socat[4811] N childdied(): handling signal 17
# socat -d -d UDP-RECV:23456 -
2021/08/12 12:16:12 socat[4891] N reading from and writing to stdio
2021/08/12 12:16:12 socat[4891] N starting data transfer loop with FDs [5,5] and [0,1]
2021/08/12 12:16:15 socat[4891] N received packet with 5 bytes from AF=2 <myPublicIp>:42481
test
“主命令”的输出
2021/08/12 12:22:37 socat[5435] N accepting UDP connection from AF=2 <myPublicIp>:40659
2021/08/12 12:22:37 socat[5435] N forked off child process 5482
2021/08/12 12:22:37 socat[5435] N listening on UDP AF=2 0.0.0.0:12345
2021/08/12 12:22:37 socat[5482] N opening connection to AF=2 127.0.0.1:23456
2021/08/12 12:22:37 socat[5482] N successfully connected from local address AF=2 127.0.0.2:36305
2021/08/12 12:22:37 socat[5482] N starting data transfer loop with FDs [5,5] and [6,6]
2021/08/12 12:22:42 socat[5482] N inactivity timeout triggered
2021/08/12 12:22:42 socat[5482] N exiting with status 0
2021/08/12 12:22:42 socat[5435] N childdied(): handling signal 17
我的 netcat 版本不是问题。Netcat 只是我用来测试的一个示例应用程序,我也可以在数据包转储中看到这个问题。
答案1
尝试改变lo
接口范围 - 我认为您需要将其从 更改host
为global
。
如果您使用的是 Debian ,则可以执行此操作[/etc/network/interfaces][1]
(需要执行ifdown lo
并ifup lo
使其生效)或者使用命令ip addr set dev lo scope global
(我认为)。
我必须这样做才能使来自本地主机的 DNS 查询正确设置源地址,这样它才能接收来自本地主机上托管的 DNS 服务器的回复,并且该 DNS 服务器也可以在其他接口上访问。
答案2
正如您所确认的,由于无法重现此行为,因此这不是您对 的误解或不正确使用socat
。这是您特定设置中的问题:配置错误或 诊断不正确nc
。以下是故障排除建议。
我将使用以下术语来引用命令:
- 生成器,命令 1(我已添加
-q0
因此nc
不会“挂起”):echo test | nc -u -q0 127.0.0.1 12345
- 主命令,命令2:
socat -T5 UDP4-LISTEN:12345,reuseaddr,fork UDP4:127.0.0.1:23456,bind=127.0.0.2,so-bindtodevice=lo
- 接收方,接收命令,命令3:
nc -u -l -p 23456 -vv
1.更多诊断。
将接收器命令替换为以下之一(它们几乎等效):
socat -d -d UDP-RECVFROM:23456,fork -
socat -d -d -T.5 UDP-LISTEN:23456,fork -
socat -d -d UDP-RECV:23456 -
也添加-d -d
到主命令中。
这将让您获得有关正在发生的事情的更多信息。
2.分析数据包。
在所有接口上使用一些数据包转储器和分析器(Wireshark,tcpdump)来捕获数据包并找出实际发送的数据包。
3.检查包过滤规则。
除了您提供的数据包过滤规则之外,还有三个表需要查看:
sudo iptables -S -t nat
sudo iptables -S -t mangle
sudo iptables -S -t raw
4.Netcat 版本
的版本是多少nc
?可能是有 bug 吧?另外发现有两个 netcat:传统版和 OpenBSD 版。
$ nc -h 2>&1 | head -n 1
[v1.10-41.1]
正确行为(供参考)
命令 1:
$ echo test | nc -u -q0 127.0.0.1 12345
$
命令2:
$ sudo socat -T5 -d -d UDP4-LISTEN:12345,reuseaddr,fork UDP4:127.0.0.1:23456,bind=127.0.0.2,so-bindtodevice=lo
2021/07/23 01:49:48 socat[4617] N listening on UDP AF=2 0.0.0.0:12345
2021/07/23 01:51:12 socat[4617] N accepting UDP connection from AF=2 127.0.0.1:59877
2021/07/23 01:51:12 socat[4617] N forked off child process 4622
2021/07/23 01:51:12 socat[4617] N listening on UDP AF=2 0.0.0.0:12345
2021/07/23 01:51:12 socat[4622] N opening connection to AF=2 127.0.0.1:23456
2021/07/23 01:51:12 socat[4622] N successfully connected from local address AF=2 127.0.0.2:36338
2021/07/23 01:51:12 socat[4622] N starting data transfer loop with FDs [5,5] and [6,6]
2021/07/23 01:51:17 socat[4622] N inactivity timeout triggered
2021/07/23 01:51:17 socat[4622] N exiting with status 0
2021/07/23 01:51:17 socat[4617] N childdied(): handling signal 17
命令 3:
vagrant@packer-debian-10-amd64:~$ socat -d -d UDP-RECVFROM:23456,fork -
2021/07/23 01:50:54 socat[4619] N receiving on AF=2 0.0.0.0:23456
2021/07/23 01:51:12 socat[4619] N receiving packet from AF=2 127.0.0.2:36338
2021/07/23 01:51:12 socat[4619] N forked off child process 4623
2021/07/23 01:51:12 socat[4623] N reading from and writing to stdio
2021/07/23 01:51:12 socat[4623] N starting data transfer loop with FDs [5,5] and [0,1]
2021/07/23 01:51:12 socat[4623] N received packet with 5 bytes from AF=2 127.0.0.2:36338
2021/07/23 01:51:12 socat[4619] N receiving on AF=2 0.0.0.0:23456
test
2021/07/23 01:51:12 socat[4623] N socket 1 (fd 5) is at EOF
2021/07/23 01:51:13 socat[4623] N exiting with status 0
2021/07/23 01:51:13 socat[4619] N receiving on AF=2 0.0.0.0:23456
旁注。
我认为
so-bindtodevice=lo
主命令中的选项是不必要的,因为您已经使用 绑定到 ip 地址bind=127.0.0.2
。如果您的任务不是学习每一种
socat
行为,而是更多地完成任务(例如在子网之间转发特定的 UDP 流量),我建议您使用数据包过滤器及其 NAT 功能来完成此任务。这将是正确的方法,因为它socat
在应用程序级别(L7)上工作,而数据包过滤器在网络级别(L3)上工作。