我有一个这样的网络拓扑图:
Local box GateWay box
+---------------+ +--------------------------+
|192.168.1.200 | -> |192.168.1.2 10.2.10.2 |
+---------------+ +--------------------------+
|
|GRE tunnel over pppoe
|
v
+----------------+ +--------------------------+
| The Internet | <-- |54.179.141.101 10.2.10.1 |
+----------------+ +--------------------------+
Remote "proxy" box
并且gateway box
ppoe 的 mtu 为 1468,隧道(gre 隧道)也是如此tun0
。问题是,当它是纯 http 请求时,一切正常。但是当涉及到 https 时,一些网站(如https://www.gravatar.com/avatar/8bd68135185d99a58252795422d21bb9?s=24&d=identicon&r=PG。无法建立 https 连接。使用 curl 的输出卡在此:
curl -v "https://www.gravatar.com/avatar/8bd68135185d99a58252795422d21bb9?s=24&d=identicon&r=PG"
* Hostname was NOT found in DNS cache
* Trying 68.232.44.121...
* Connected to www.gravatar.com (68.232.44.121) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
它卡在那里只等待超时。但我可以在 上成功执行相同的请求Remote "proxy" box
。所以我假设 gre 隧道有问题(或者我编写的 iptable 规则有问题?)
因此我使用 wireshark 捕获包GateWay box
,结果是:
它表明 SSL 握手过程中缺少一段。
有关更多信息,iptables 规则如下:
在网关盒上
*nat
:PREROUTING ACCEPT [61416:4763478]
:INPUT ACCEPT [19674:1619565]
:OUTPUT ACCEPT [18416:1183854]
:POSTROUTING ACCEPT [3:144]
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE #<- this is a gre tunnel and the route for this request
-A POSTROUTING -o tun1 -j MASQUERADE
在代理框上
*nat
:PREROUTING ACCEPT [3997:794751]
:INPUT ACCEPT [297:43841]
:OUTPUT ACCEPT [612:44944]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
我在 Google 上搜索了一下,有人说这可能与 MTU 有关,但我该如何进一步诊断这个问题呢?
答案1
这是一个 MTU 问题,此 iptable 规则(在网关盒上)使其工作:
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu