我可以使用 wireshark/数据包捕获来验证端口转发是否失败

tag-icon tag-icon linux-networking port-forwarding packet-capture
我可以使用 wireshark/数据包捕获来验证端口转发是否失败

我最近配置了一台 Debian 9 服务器 (Debian 4.9.130-2) 作为轻量级服务器运行,运行一系列 Docker 容器 (nextcloud、sync 等) 以及 ssh 等基本服务。服务配置正确,运行正常:我可以从 LAN 上的任何设备连接到 ssh 和 docker 容器,没有任何明显的问题。但是,从网络外部连接的尝试无法到达服务器。此时,我试图测试故障是出在路由器还是服务器上,因为两者似乎都配置正确。为此,我在路由器上设置了数据包捕获,然后尝试从 VPN 向转发端口进行多次入站连接。

这是来自 wireshark 的一段代码,它表明(我认为)流量确实被路由器重定向。

首先在路由器上抓包:

No.     Time           Source                Destination           Protocol Length Info
   2265 26.624915      196.52.84.12          87.75.107.144         TCP      80     54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326616015 TSecr=0 SACK_PERM=1
   2382 27.746737      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326617017 TSecr=0 SACK_PERM=1
   2470 28.626743      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326618019 TSecr=0 SACK_PERM=1
   2590 29.666995      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326619020 TSecr=0 SACK_PERM=1
   2688 30.687513      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326620023 TSecr=0 SACK_PERM=1
   2719 31.667451      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326621028 TSecr=0 SACK_PERM=1
   2868 33.696000      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326623032 TSecr=0 SACK_PERM=1
   3254 37.657240      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326627033 TSecr=0 SACK_PERM=1
   3861 45.658800      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326635033 TSecr=0 SACK_PERM=1
   4132 48.150464      196.52.84.12          87.75.107.144         TCP      80     57788 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326377039 TSecr=0 SACK_PERM=1
   4152 49.191512      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 57788 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326378040 TSecr=0 SACK_PERM=1
   4207 50.160028      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 57788 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326379041 TSecr=0 SACK_PERM=1
   4464 52.415812      196.52.84.12          87.75.107.144         TCP      80     57789 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326381262 TSecr=0 SACK_PERM=1
   4530 53.412326      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 57789 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326382263 TSecr=0 SACK_PERM=1
   4631 54.373065      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 57789 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326383263 TSecr=0 SACK_PERM=1
   4684 55.380093      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 57789 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326384264 TSecr=0 SACK_PERM=1
   4779 56.420386      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 57789 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326385265 TSecr=0 SACK_PERM=1
   4874 57.420881      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 57789 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326386265 TSecr=0 SACK_PERM=1
   5161 59.374395      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 57789 → 2202 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326388265 TSecr=0 SACK_PERM=1
   5381 61.774499      196.52.84.12          87.75.107.144         TCP      80     [TCP Retransmission] 54626 → 4003 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326651102 TSecr=0 SACK_PERM=1

服务端抓包:

No.     Time           Source                Destination           Protocol Length Info
  32179 24.444677474   196.52.84.12          192.168.1.208         TCP      78     54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326616015 TSecr=0 SACK_PERM=1
  33778 25.565718159   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326617017 TSecr=0 SACK_PERM=1
  35147 26.445497552   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326618019 TSecr=0 SACK_PERM=1
  36888 27.485382313   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326619020 TSecr=0 SACK_PERM=1
  38683 28.505695805   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326620023 TSecr=0 SACK_PERM=1
  40376 29.485394758   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326621028 TSecr=0 SACK_PERM=1
  43649 31.513421847   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326623032 TSecr=0 SACK_PERM=1
  50623 35.473792067   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326627033 TSecr=0 SACK_PERM=1
  65139 43.473176096   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 54626 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326635033 TSecr=0 SACK_PERM=1
  69018 45.964529458   196.52.84.12          192.168.1.208         TCP      78     57788 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326377039 TSecr=0 SACK_PERM=1
  70816 47.004900826   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 57788 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326378040 TSecr=0 SACK_PERM=1
  72718 47.973061039   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 57788 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326379041 TSecr=0 SACK_PERM=1
  77788 50.228672533   196.52.84.12          192.168.1.208         TCP      78     57789 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326381262 TSecr=0 SACK_PERM=1
  80033 51.224501372   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 57789 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326382263 TSecr=0 SACK_PERM=1
  82529 52.185037535   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 57789 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326383263 TSecr=0 SACK_PERM=1
  84789 53.191738933   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 57789 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326384264 TSecr=0 SACK_PERM=1
  87000 54.231741538   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 57789 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326385265 TSecr=0 SACK_PERM=1
  88816 55.231936109   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 57789 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326386265 TSecr=0 SACK_PERM=1
  92836 57.184892614   196.52.84.12          192.168.1.208         TCP      78     [TCP Retransmission] 57789 → 22 [SYN] Seq=0 Win=65535 Len=0 MSS=1352 WS=64 TSval=326388265 TSecr=0 SACK_PERM=1

快捷输出键:

  • 196.52.84.14 是连接到 VPN 时分配给我的 PC 的 IP 地址
  • 192.168.1.208 是服务器的 LAN IP 地址
  • 87.75.107.144 是路由器上的 WAN IP 地址(已混淆)
  • 端口 2202 正在通过 tcp 转发到该服务器上的 ssh 端口 22,而端口 4003 正在转发到服务器上的 443

我是否正确地认为路由器的行为正常并转发数据包(例如“重新传输”)?

防火墙如下:

$ sudo iptables-save
# Generated by iptables-save v1.6.0 on Fri Mar 15 20:37:38 2019
*nat
:PREROUTING ACCEPT [3920:488137]
:INPUT ACCEPT [2997:321060]
:OUTPUT ACCEPT [2725:243307]
:POSTROUTING ACCEPT [2735:246173]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-931904c155b2 -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 8181 -j MASQUERADE
-A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 7878 -j MASQUERADE
-A POSTROUTING -s 172.18.0.4/32 -d 172.18.0.4/32 -p tcp -m tcp --dport 8686 -j MASQUERADE
-A POSTROUTING -s 172.18.0.5/32 -d 172.18.0.5/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
-A POSTROUTING -s 172.18.0.6/32 -d 172.18.0.6/32 -p tcp -m tcp --dport 8989 -j MASQUERADE
-A POSTROUTING -s 172.18.0.7/32 -d 172.18.0.7/32 -p tcp -m tcp --dport 4040 -j MASQUERADE
-A POSTROUTING -s 172.18.0.8/32 -d 172.18.0.8/32 -p tcp -m tcp --dport 8000 -j MASQUERADE
-A POSTROUTING -s 172.18.0.8/32 -d 172.18.0.8/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-931904c155b2 -j RETURN
-A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 8181 -j DNAT --to-destination 172.18.0.2:8181
-A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 7878 -j DNAT --to-destination 172.18.0.3:7878
-A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 8686 -j DNAT --to-destination 172.18.0.4:8686
-A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 9001 -j DNAT --to-destination 172.18.0.5:9000
-A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 27021 -j DNAT --to-destination 172.18.0.6:8989
-A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 4040 -j DNAT --to-destination 172.18.0.7:4040
-A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 10001 -j DNAT --to-destination 172.18.0.8:8000
-A DOCKER ! -i br-931904c155b2 -p tcp -m tcp --dport 10000 -j DNAT --to-destination 172.18.0.8:80
COMMIT
# Completed on Fri Mar 15 20:37:38 2019
# Generated by iptables-save v1.6.0 on Fri Mar 15 20:37:38 2019
*filter
:INPUT ACCEPT [6374971:555022347]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8882591:15858115582]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "Allow SSH" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m comment --comment "Allow HTTPS" -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-931904c155b2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-931904c155b2 -j DOCKER
-A FORWARD -i br-931904c155b2 ! -o br-931904c155b2 -j ACCEPT
-A FORWARD -i br-931904c155b2 -o br-931904c155b2 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 8181 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 7878 -j ACCEPT
-A DOCKER -d 172.18.0.4/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 8686 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 9000 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 8989 -j ACCEPT
-A DOCKER -d 172.18.0.7/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 4040 -j ACCEPT
-A DOCKER -d 172.18.0.8/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.18.0.8/32 ! -i br-931904c155b2 -o br-931904c155b2 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-931904c155b2 ! -o br-931904c155b2 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-931904c155b2 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri Mar 15 20:37:38 2019

路由表:

$ ip route
0.0.0.0/1 via 10.1.10.9 dev tun0
default via 192.168.1.1 dev eno1 onlink
10.1.10.1 via 10.1.10.9 dev tun0
10.1.10.9 dev tun0 proto kernel scope link src 10.1.10.10
128.0.0.0/1 via 10.1.10.9 dev tun0
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-931904c155b2 proto kernel scope link src 172.18.0.1
172.98.67.82 via 192.168.1.1 dev eno1
192.0.0.0/8 dev eno1 proto kernel scope link src 192.168.1.208
192.168.1.0/24 via 192.168.1.1 dev eno1

答案1

[TCP 重传] 意味着数据包已发送,但由于没有得到答复,PC 仍尝试重新发送。

这通常意味着接收方没有发回 AC 来确认数据已收到。

这可能是接收方的错误路由,因为接收方通常可能没有返回你 IP 的路由196.52.84.14

我建议从接收方进行调试,我建议使用 192.168.1.208,因为您可以在那里轻松启用数据包嗅探器。收集日志并检查远程接收方是否知道到您的 VPN IP 的默认路由。

编辑1

wireshark 显示机器获得了重传,但未应答。因此,请确保服务器上的防火墙不会阻止该流量,winpcap/wireshark 在本地防火墙丢弃这些数据包之前捕获入站数据包。

相关内容