我在 docker 容器中运行 VPN 客户端。我尝试通过端口 8080 从主机连接到在 docker 容器中运行的 Web 服务器。当我尝试连接时,我通过 tcpdump 在端口 8080 上看到传入的数据包,但 Web 服务器始终看不到它。我已为数据包的所有可能状态转换添加了 iptables“-j LOG”规则,以尝试对其进行跟踪。我在以下位置看到数据包:
- 表‘raw’,链 PREROUTING
- 表‘mangle’,链PREROUTING
- 表'nat',链PREROUTING
然后……什么都没有。经过短暂的延迟后,数据包被重新发送,我看到新数据包通过了 PREROUTING。在 mangle INPUT 或 mangle FORWARD 链上没有出现任何内容 - 据我所知这是不可能的 - 它必须击中其中一个。有没有办法让数据包通过 PREROUTING,但不击中 INPUT 或 FORWARD?我的 iptables 如下:
root@87ff7ad8e4f9:/# iptables -t raw -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NFLOG tcp -- anywhere anywhere tcp spt:http-alt nflog-prefix "raw pre-route Src incoming packet"
NFLOG tcp -- anywhere anywhere tcp dpt:http-alt nflog-prefix "raw pre-route Dest incoming packet"
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
NFLOG tcp -- anywhere anywhere tcp dpt:http-alt nflog-prefix "Dest outgoing packet"
NFLOG tcp -- anywhere anywhere tcp spt:http-alt nflog-prefix "Src outgoing packet"
root@87ff7ad8e4f9:/# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NFLOG tcp -- anywhere anywhere tcp dpt:http-alt nflog-prefix "mangle PREROUTING Dest incoming packet"
Chain INPUT (policy ACCEPT)
target prot opt source destination
NFLOG all -- anywhere anywhere nflog-prefix "mangle INPUT Dest incoming packet any2"
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NFLOG all -- anywhere anywhere nflog-prefix "mangle FORWARD Dest incoming packet any"
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
MARK tcp -- anywhere anywhere tcp spt:http-alt MARK set 0x1
MARK tcp -- anywhere anywhere tcp dpt:http-alt MARK set 0x1
NFLOG tcp -- anywhere anywhere tcp spt:http-alt nflog-prefix "MARK set 0x1"
NFLOG tcp -- anywhere anywhere tcp dpt:http-alt nflog-prefix "Dest MARK set 0x1"
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
root@87ff7ad8e4f9:/# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NFLOG tcp -- anywhere anywhere tcp dpt:http-alt nflog-prefix "nat PREROUTING Dest incoming packet"
Chain INPUT (policy ACCEPT)
target prot opt source destination
NFLOG tcp -- anywhere anywhere tcp dpt:http-alt nflog-prefix "nat INPUT Dest incoming packet"
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
root@87ff7ad8e4f9:/# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
NFLOG tcp -- anywhere anywhere nflog-prefix "connection made"
NFLOG tcp -- anywhere anywhere tcp dpt:http-alt nflog-prefix "filter INPUT Dest incoming packet"
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 172.17.0.0/16
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere owner GID match vpn
ACCEPT udp -- anywhere anywhere owner GID match vpn
DROP all -- anywhere anywhere
我的系统日志显示:
Oct 4 07:22:56 87ff7ad8e4f9 raw pre-route Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39119 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0
Oct 4 07:22:56 87ff7ad8e4f9 mangle PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39119 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0
Oct 4 07:22:56 87ff7ad8e4f9 nat PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39119 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0
Oct 4 07:22:57 87ff7ad8e4f9 raw pre-route Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39120 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0
Oct 4 07:22:57 87ff7ad8e4f9 mangle PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39120 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0
Oct 4 07:22:57 87ff7ad8e4f9 nat PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39120 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0
答案1
我想我明白了。PREROUTING 和 INPUT/FORWARD 之间有什么关系?看看地图:路由决策。
从您的日志中:SRC=76.167.254.196 DST=172.17.0.2。如果没有 DNAT,您无法将公共 IP 地址路由到私有 IP 地址。尝试添加以下内容:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 172.17.0.2
或者您可以将 VPN 设置为拥有私有 IP。
答案2
我不完全明白为什么,但反向路径过滤器是导致数据包丢失的原因。通过以下命令将其关闭解决了我的问题:sysctl -w net.ipv4.conf.eth0.rp_filter=0