![UDP 数据包被丢弃,并显示 `ctstate=INVALID`,但与此同时,其连接在 conntrack 列表中为 `[ASSURED]`](https://linux22.com/image/1667823/UDP%20%E6%95%B0%E6%8D%AE%E5%8C%85%E8%A2%AB%E4%B8%A2%E5%BC%83%EF%BC%8C%E5%B9%B6%E6%98%BE%E7%A4%BA%20%60ctstate%3DINVALID%60%EF%BC%8C%E4%BD%86%E4%B8%8E%E6%AD%A4%E5%90%8C%E6%97%B6%EF%BC%8C%E5%85%B6%E8%BF%9E%E6%8E%A5%E5%9C%A8%20conntrack%20%E5%88%97%E8%A1%A8%E4%B8%AD%E4%B8%BA%20%60%5BASSURED%5D%60.png)
我的路由器以基于 UDP 协议的所谓“VPN”的形式连接到远程 VPS,然后 VPS 流量在重新启动后几秒钟内就会减慢。
我可以看到在此阶段丢弃了大量传入的回复数据包mangle PREROUTING:
pkts bytes target prot opt in out source destination
327K 489M LOG_AND_DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
以及dmesg:
IN=ppp0 OUT= MAC= SRC=52.220.151.177 DST=10.17.175.251 LEN=1496 TOS=0x00 PREC=0x00 TTL=49 ID=0 PROTO=UDP SPT=4444 DPT=28317 LEN=1476
仅举例来说,
52.220.151.177是 VPS IP 并且10.17.175.251是我的网关 IP。
但在conntrack列表中,我发现 UDP 连接(伪状态)已经是ASSURED:
udp 17 118 src=10.17.175.251 dst=52.220.151.177 sport=28317 dport=4444 src=52.220.151.177 dst=10.17.175.251 sport=4444 dport=28317 [ASSURED] mark=0 use=1
这是我的iptables配置:
*nat
:PREROUTING ACCEPT [-:-]
:INPUT ACCEPT [-:-]
:OUTPUT ACCEPT [-:-]
:POSTROUTING ACCEPT [-:-]
-A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [-:-]
:FORWARD DROP [-:-]
:OUTPUT ACCEPT [-:-]
-A INPUT -i ppp0 -j -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -i ppp0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
COMMIT
*mangle
:PREROUTING ACCEPT [-:-]
:INPUT ACCEPT [-:-]
:FORWARD ACCEPT [-:-]
:OUTPUT ACCEPT [-:-]
:POSTROUTING ACCEPT [-:-]
:TPROXY_MARK - [-:-]
:OUTPUT_MARK - [-:-]
:LOG_AND_DROP - [-:-]
-A LOG_AND_DROP -j LOG --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid
-A LOG_AND_DROP -j DROP
-A PREROUTING -i ppp0 -m conntrack --ctstate INVALID -j LOG_AND_DROP <---------HUGE AMOUNT OF HITS
-A PREROUTING ! -i ppp0 -j TPROXY_MARK
-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -o ppp0 ! -p icmp -j OUTPUT_MARK
-A TPROXY_MARK -m set --match-set whitelist dst -j RETURN
-A TPROXY_MARK -p udp -j TPROXY --on-port 1080 --on-ip 127.0.0.1 --tproxy-mark 0x1/0xffffffff
-A TPROXY_MARK -p tcp -j TPROXY --on-port 1080 --on-ip 127.0.0.1 --tproxy-mark 0x1/0xffffffff
-A OUTPUT_MARK -m set --match-set whitelist dst -j RETURN
-A OUTPUT_MARK -j MARK --set-xmark 0x1/0xffffffff
COMMIT
有任何想法吗?
我期望传入 UDP 数据包的 ctstate 是有效的,因为连接记录存在于 conntrack 列表中。