我有一台 Linux 路由器 (Debian 6.x),我将一些端口转发到内部服务。一些 tcp 端口 (如 80、22...) 正常。
我有一个应用程序在监听端口 54277udp。此应用程序没有返回任何内容,我仅在此端口上获取数据。
路由器:
cat /proc/sys/net/ipv4/conf/all/rp_filter = 1
cat /proc/sys/net/ipv4/conf/eth0/forwarding = 1
cat /proc/sys/net/ipv4/conf/ppp0/forwarding = 1
$IPTABLES -t nat -I PREROUTING -p udp -i ppp0 --dport 54277 -j DNAT --to-destination $SRV_IP:54277
$IPTABLES -I FORWARD -p udp -d $SRV_IP --dport 54277 -j ACCEPT
此外,伪装到 ppp0(互联网)的内部流量也处于活动状态且正常工作。
默认策略 INPUT&OUTPUT&FORWARD 为 DROP
奇怪的是,当我这样做时:
tcpdump -p -vvvv -i ppp0 port 54277
我获得了很多流量:
18:35:43.646133 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.652301 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.653324 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.655795 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.656727 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.659719 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
tcpdump -p -i eth0 port 54277(在同一台机器,路由器上)我得到的流量少了很多。
另外,在目的地$SRV_IP只有少数数据包进来,但不是全部。
内部服务器:
19:15:30.039663 IP source.ip.52394 > 192.168.215.4.54277: UDP, length 16
19:15:30.276112 IP source.ip.52394 > 192.168.215.4.54277: UDP, length 16
19:15:30.726048 IP source.ip.52394 > 192.168.215.4.54277: UDP, length 16
那么一些 udp 端口被“忽略/丢弃”了?
知道可能是什么问题吗?
编辑:
这很奇怪:Forward规则有数据包,但是PREROUTING规则有0个数据包......
iptables -nvL -t filter |grep 54277
Chain FORWARD (policy DROP 0 packets, 0 bytes)
168 8401 ACCEPT udp -- * * 0.0.0.0/0 192.168.215.4 state NEW,RELATED,ESTABLISHED udp dpt:54277
iptables -nvL -t nat |grep 54277
Chain PREROUTING (policy ACCEPT 405 packets, 24360 bytes)
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 my.external.ip udp dpt:54277 state NEW,RELATED,ESTABLISHED to:192.168.215.4
编辑2:
Chain PREROUTING (policy ACCEPT 102K packets, 6148K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 external.ip udp dpt:54277 state NEW,RELATED,ESTABLISHED to:192.168.215.4
1191 71460 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:192.168.215.4
3119 187K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.215.3
+some other tcp forward rules
Chain POSTROUTING (policy ACCEPT 4626 packets, 294K bytes)
pkts bytes target prot opt in out source destination
2343 145K MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1529 packets, 111K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
574K 33M PSAD_BLOCK_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
4511K 257M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:54277
559 30745 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:17784
0 0 DROP all -- * * 192.168.215.30 0.0.0.0/0
16 3355 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:43 dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:45000
1 40 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set netdrop src
0 0 LOG all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set netdrop src LOG flags 0 level 4 prefix `IPSET'
403 35523 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- ppp0 * 10.0.0.0/8 0.0.0.0/0
0 0 DROP all -- ppp0 * 172.16.0.0/16 0.0.0.0/0
0 0 DROP all -- ppp0 * 192.168.0.0/24 0.0.0.0/0
0 0 DROP all -- ppp0 * 224.0.0.0/4 0.0.0.0/0
0 0 DROP all -- ppp0 * 240.0.0.0/5 0.0.0.0/0
0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `Drop-Syn'
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 LOG all -f ppp0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `Fragments-Packets'
0 0 DROP all -f ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `NULL-Packets'
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
2 96 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `XMAS-Packets'
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `Fin-Packets-Scan'
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
0 0 LOG all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set ipdrop src LOG flags 0 level 4 prefix `IPSET:'
0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set ipdrop src
0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state RELATED,ESTABLISHED
1445 121K ACCEPT icmp -- eth0 * 192.168.215.0/24 192.168.215.254 icmp type 8 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 192.168.215.0/24 192.168.215.254 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT udp -- eth0 * 192.168.215.0/24 192.168.215.254 udp dpt:161 state NEW,ESTABLISHED
1479 94070 ACCEPT tcp -- eth0 * 192.168.215.0/24 192.168.215.254 tcp dpt:22 state NEW,ESTABLISHED
2220 265K ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:43 state RELATED,ESTABLISHED
21337 1229K ACCEPT all -- eth0 * 192.168.215.0/24 192.168.215.254
0 0 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:17500
1118 60931 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3483
818 78992 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
1 343 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
69 4968 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:427
2 200 DROP icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:4321 state RELATED,ESTABLISHED
31820 1815K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `DROP'
31820 1815K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38943 2546K PSAD_BLOCK_FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.215.3 tcp dpt:80
2790 471K ACCEPT tcp -- * * 0.0.0.0/0 192.168.215.4 tcp spt:22
89446 4359K ACCEPT udp -- * * 0.0.0.0/0 192.168.215.4 state NEW,RELATED,ESTABLISHED udp dpt:54277
122K 7500K ACCEPT all -- eth0 ppp0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
123K 11M ACCEPT all -- ppp0 eth0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:981 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 state NEW,RELATED,ESTABLISHED
0 0 DROP all -- ppp0 ppp0 0.0.0.0/0 0.0.0.0/0
3 120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `DROP'
3 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7684 919K PSAD_BLOCK_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:54277
33594 2855K ACCEPT icmp -- * ppp0 own.ext.ip 0.0.0.0/0 icmp type 3
403 35523 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * ppp0 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED
1445 121K ACCEPT icmp -- * eth0 192.168.215.254 192.168.215.0/24 icmp type 0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 192.168.215.254 192.168.215.0/24 tcp spt:80 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * eth0 192.168.215.254 192.168.215.0/24 udp spt:161 state RELATED,ESTABLISHED
1904 789K ACCEPT tcp -- * eth0 192.168.215.254 192.168.215.0/24 tcp spt:22 state RELATED,ESTABLISHED
2780 174K ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW,ESTABLISHED
16 896 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:43 state NEW,ESTABLISHED
53234 13M ACCEPT all -- * eth0 192.168.215.254 192.168.215.0/24
0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:4321 state NEW,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `DROP'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PSAD_BLOCK_FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 121.30.234.78
0 0 DROP all -- * * 121.30.234.78 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 118.70.170.83
0 0 DROP all -- * * 118.70.170.83 0.0.0.0/0
Chain PSAD_BLOCK_INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 121.30.234.78 0.0.0.0/0
0 0 DROP all -- * * 118.70.170.83 0.0.0.0/0
Chain PSAD_BLOCK_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 121.30.234.78
0 0 DROP all -- * * 0.0.0.0/0 118.70.170.83