没有人监听端口,但有东西接受连接

tag-icon tag-icon port tcp tcpdump lsof
没有人监听端口,但有东西接受连接

首先这里是一些背景信息,尽管它可能与问题无关。

我正在学习 Kubernetes,并设置了一个集群,pi-hole 在其中作为服务运行。我可以从 LAN 上另一台计算机上运行的浏览器访问管理控制台。

以下是服务内容:

$ sudo kubectl get services --all-namespaces -o wide
NAMESPACE     NAME             TYPE           CLUSTER-IP      EXTERNAL-IP                                 PORT(S)                      AGE   SELECTOR
default       kubernetes       ClusterIP      10.43.0.1       <none>                                      443/TCP                      70m   <none>
kube-system   kube-dns         ClusterIP      10.43.0.10      <none>                                      53/UDP,53/TCP,9153/TCP       70m   k8s-app=kube-dns
kube-system   metrics-server   ClusterIP      10.43.78.148    <none>                                      443/TCP                      69m   k8s-app=metrics-server
pihole        pihole-dhcp      NodePort       10.43.41.144    <none>                                      67:31097/UDP                 69m   app=pihole,release=pihole
pihole        pihole-dns-tcp   LoadBalancer   10.43.36.226    192.168.1.129,192.168.1.146,192.168.1.148   53:31213/TCP                 69m   app=pihole,release=pihole
pihole        pihole-dns-udp   LoadBalancer   10.43.191.104   192.168.1.129,192.168.1.146,192.168.1.148   53:31078/UDP                 69m   app=pihole,release=pihole
pihole        pihole-web       LoadBalancer   10.43.63.236    192.168.1.129,192.168.1.146,192.168.1.148   80:30081/TCP,443:31214/TCP   69m   app=pihole,release=pihole
kube-system   traefik          LoadBalancer   10.43.122.130   <pending>                                   80:30146/TCP,443:32021/TCP   68m   app.kubernetes.io/instance=traefik,app.kubernetes.io/name=traefik

谜底就在这里——谁在监听 80 端口?正如我之前提到的,我可以从浏览器或 curl 建立与 pi-hole 的连接:

$ curl http://192.168.1.129
    <!doctype html>
    <html lang='en'>

HTML lines omitted...

    </html>

然而,以下命令是从 192.168.1.129 执行的:


$ sudo lsof -i :80
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether e4:5f:01:b8:fc:6f brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.129/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0
       valid_lft 43882sec preferred_lft 33082sec
    inet6 2603:8001:8e00:1ca9:37e7:e1f8:8ea9:571b/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 464540sec preferred_lft 464540sec
    inet6 fe80::aba5:f484:5575:9864/64 scope link
       valid_lft forever preferred_lft forever

Many other Kubernetes interface omitted...

netstat 和 ss 也没有显示任何正在监听该端口的人。但是,如果我在从浏览器连接到服务器时运行 tcpdump,我可以使用 tcpdump 查看端口上的流量。

我错过了什么?

答案1

在 Daniel B. 给我指明了正确的方向后,我所要做的就是遵守防火墙规则。我找到了这个详细的解释https://www.stackrox.io/blog/kubernetes-networking-demystified/ 如何做到这一点。我只需要用等效的 nft 命令替换 iptables 命令,因为前者在我的系统上不起作用。

我从使用浏览器访问的服务器 192.168.1.129 和端口 80 开始:

$ sudo nft -n list chain nat KUBE-SERVICES|grep "192.168.1.129.*[^0-9]80[^0-9]"
                meta l4proto 6 ip daddr 192.168.1.129  tcp dport 80 counter packets 3 bytes 156 jump KUBE-FW-ZVTMEM247U444IPT

然后我只需遵循链式规则:

$ sudo nft -n list chain nat KUBE-FW-ZVTMEM247U444IPT
table ip nat {
        chain KUBE-FW-ZVTMEM247U444IPT {
                 counter packets 3 bytes 156 jump KUBE-XLB-ZVTMEM247U444IPT
                 counter packets 0 bytes 0 jump KUBE-MARK-DROP
                 counter packets 0 bytes 0 jump KUBE-XLB-ZVTMEM247U444IPT
                 counter packets 0 bytes 0 jump KUBE-MARK-DROP
                 counter packets 0 bytes 0 jump KUBE-XLB-ZVTMEM247U444IPT
                 counter packets 0 bytes 0 jump KUBE-MARK-DROP
        }
}
$ sudo nft -n list chain nat KUBE-XLB-ZVTMEM247U444IPT
table ip nat {
        chain KUBE-XLB-ZVTMEM247U444IPT {
                ip saddr 10.42.0.0/16  counter packets 0 bytes 0 jump KUBE-SVC-ZVTMEM247U444IPT
                 fib saddr type local counter packets 0 bytes 0 jump KUBE-MARK-MASQ
                 fib saddr type local counter packets 0 bytes 0 jump KUBE-SVC-ZVTMEM247U444IPT
                 counter packets 3 bytes 156 jump KUBE-SEP-PXNUQBE4P5SOTECD
        }
}
$ sudo nft -n list chain nat KUBE-SVC-ZVTMEM247U444IPT
table ip nat {
        chain KUBE-SVC-ZVTMEM247U444IPT {
                meta l4proto 6 ip saddr != 10.42.0.0/16 ip daddr 10.43.29.63  tcp dport 80 counter packets 0 bytes 0 jump KUBE-MARK-MASQ
                 counter packets 0 bytes 0 jump KUBE-SEP-PXNUQBE4P5SOTECD
        }
}

最后一个命令输出一个熟悉的 IP 地址——这是我的服务运行的地方:

$ sudo kubectl get services --all-namespaces
NAMESPACE     NAME             TYPE           CLUSTER-IP      EXTERNAL-IP                                 PORT(S)                      AGE
default       kubernetes       ClusterIP      10.43.0.1       <none>                                      443/TCP                      104m
kube-system   kube-dns         ClusterIP      10.43.0.10      <none>                                      53/UDP,53/TCP,9153/TCP       104m
kube-system   metrics-server   ClusterIP      10.43.8.179     <none>                                      443/TCP                      104m
pihole        pihole-dhcp      NodePort       10.43.156.246   <none>                                      67:31575/UDP                 84m
pihole        pihole-dns-udp   LoadBalancer   10.43.167.163   192.168.1.129,192.168.1.146,192.168.1.148   53:31671/UDP                 84m
pihole        pihole-dns-tcp   LoadBalancer   10.43.219.243   192.168.1.129,192.168.1.146,192.168.1.148   53:30437/TCP                 84m
pihole        pihole-web       LoadBalancer   10.43.29.63     192.168.1.129,192.168.1.146,192.168.1.148   80:32526/TCP,443:30932/TCP   84m

相关内容