我遇到了 CISCO 防火墙和连接到它的 Docker 主机之间的奇怪交互:CISCO 定期将我的主机标记为 SYN 攻击者并关闭我的以太网端口。
我一直在主机上运行 tcpdump 来过滤 SYN 数据包,这是我所经历的模式的一个示例:
20:45:53.863232 In 00:0c:29:67:9f:5b ethertype IPv4 (0x0800), length 76: 172.16.23.92.34272 > 172.16.23.102.3314: Flags [S], seq 2717143176, win 29200, options [mss 1460,sackOK,TS val 670292160 ecr 0,nop,wscale 7], length 0
20:45:53.863268 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.34272 > 172.17.0.8.3306: Flags [S], seq 2717143176, win 29200, options [mss 1460,sackOK,TS val 670292160 ecr 0,nop,wscale 7], length 0
20:45:53.863272 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.34272 > 172.17.0.8.3306: Flags [S], seq 2717143176, win 29200, options [mss 1460,sackOK,TS val 670292160 ecr 0,nop,wscale 7], length 0
20:45:53.863306 P 02:42:ac:11:00:08 ethertype IPv4 (0x0800), length 76: 172.17.0.8.3306 > 172.16.23.92.34272: Flags [S.], seq 1254244044, ack 2717143177, win 28960, options [mss 1460,sackOK,TS val 679018433 ecr 670292160,nop,wscale 7], length 0
20:45:53.863306 In 02:42:ac:11:00:08 ethertype IPv4 (0x0800), length 76: 172.17.0.8.3306 > 172.16.23.92.34272: Flags [S.], seq 1254244044, ack 2717143177, win 28960, options [mss 1460,sackOK,TS val 679018433 ecr 670292160,nop,wscale 7], length 0
记录显示:这是一个孤立的阻塞,之前的数据包来自 2 个多小时之前,之后的数据包来自 10 多个小时之后。
Docker 主机是 172.16.23.102,另一台服务器(我们称之为 foo)的 IP 是 172.16.23.92。运行 mysql 的容器位于 docker 私有网络的 IP 172.17.0.8 上,我们称之为 mysql。
现在,如果我正确解释这个转储的话:
- Foo 正在启动与 docker:3314 的连接,这是一个 docker 公开端口
- Docker 将数据包转发到桥接端口上的 mysql(非常相同的数据包:相同的序列、标志等)
- Docker 转发数据包再次毫无理由
- Mysql 使用正确的 SYN-ACK 回复两次
现在,今天早上用同一个 tcpdump 命令记录的第一个通信就是这个怪物:
09:13:45.034399 In 00:0c:29:67:9f:5b ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.16.23.102.3314: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034447 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034452 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034455 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034457 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034459 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034461 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034463 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034464 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034466 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034468 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034470 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034472 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034475 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034476 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034478 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034480 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034482 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034484 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034487 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034489 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034491 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034492 Out 02:42:ed:33:9c:27 ethertype IPv4 (0x0800), length 76: 172.16.23.92.46089 > 172.17.0.8.3306: Flags [S], seq 4075356404, win 29200, options [mss 1460,sackOK,TS val 681509960 ecr 0,nop,wscale 7], length 0
09:13:45.034525 P 02:42:ac:11:00:08 ethertype IPv4 (0x0800), length 76: 172.17.0.8.3306 > 172.16.23.92.46089: Flags [S.], seq 1752355157, ack 4075356405, win 28960, options [mss 1460,sackOK,TS val 690236226 ecr 681509960,nop,wscale 7], length 0
09:13:45.034525 In 02:42:ac:11:00:08 ethertype IPv4 (0x0800), length 76: 172.17.0.8.3306 > 172.16.23.92.46089: Flags [S.], seq 1752355157, ack 4075356405, win 28960, options [mss 1460,sackOK,TS val 690236226 ecr 681509960,nop,wscale 7], length 0
09:13:45.034540 Out ec:79:01:bd:22:49 ethertype IPv4 (0x0800), length 76: 172.16.23.102.3314 > 172.16.23.92.46089: Flags [S.], seq 1752355157, ack 4075356405, win 28960, options [mss 1460,sackOK,TS val 690236226 ecr 681509960,nop,wscale 7], length 0
这次数据包被转发很多次,mysql 容器只回复了两次,而且这次 SYN-ACK 也退出了接口 eth0。这在之前的转储中没有发生,我猜那种情况下连接失败了。
为什么 docker 多次转发数据包?我该如何修复?
添加一些对问题有用的信息。
Docker 主机的 ARP 缓存中有用的行:
172.16.23.92 ether 00:0c:29:67:9f:5b C eth0
172.17.0.8 ether 02:42:ac:11:00:08 C docker0
docker 桥接接口的 ifconfig:
docker0 Link encap:Ethernet HWaddr 02:42:ed:33:9c:27
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
eth0 Link encap:Ethernet HWaddr ec:79:01:bd:22:49
inet addr:172.16.23.102 Bcast:172.16.23.255 Mask:255.255.248.0