我的一个客户的局域网为10.0.1.0/24,他们有一台 Windows 机器,ip 为 10.0.1.8,上面托管着一个相当老旧的遗留应用程序(当然没有人有源代码) 想要连接到硬编码的 IP 地址192.168.173.93。
该 IP 曾经属于远程网络上的一台机器192.168.173.0/24,该机器可通过 VPN 访问10.0.1.4(它是一台与主路由器分开的 Linux 服务器10.0.1.254),并且 LAN 上的所有计算机都通过 拥有到该机器的静态路由10.0.1.4。
问题是,以前位于192.168.173.93远程网络中的机器不再存在,并且它的软件已被移至公共 VPS,可以通过公共 IP 访问1.2.3.4。
10.0.1.4因此我想到的一个解决方案是在Linux 服务器上添加几个 iptables 规则,将数据包从10.0.1.8发往 重定向192.168.173.93到1.2.3.4:
iptables -t nat -I PREROUTING -i br0 -s 10.0.1.8 -d 192.168.173.93 -j DNAT --to-destination 1.2.3.4
iptables -t nat -I POSTROUTING -o br0 -s 10.0.1.8 -d 1.2.3.4 -j SNAT --to-source 10.0.1.4
然后我可以 ping 通,并能正常建立常规192.168.173.93连接10.0.1.8:
C:\Work>ping 192.168.173.93
Pinging 192.168.173.93 with 32 bytes of data:
Reply from 192.168.173.93: bytes=32 time=37ms TTL=115
Reply from 192.168.173.93: bytes=32 time=36ms TTL=115
Reply from 192.168.173.93: bytes=32 time=36ms TTL=115
Reply from 192.168.173.93: bytes=32 time=36ms TTL=115
Ping statistics for 192.168.173.93:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 36ms, Maximum = 37ms, Average = 36ms
上面的 ping 时间与我直接 ping 时看到的时间一致1.2.3.4,所以看起来不错。但是当我用 进行测试时tracert,我看到了一些非常奇怪的事情:
C:\Work>tracert 192.168.173.93
Tracing route to 192.168.173.93 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.173.93
2 <1 ms <1 ms <1 ms 192.168.173.93
3 8 ms 8 ms 8 ms 192.168.173.93
4 12 ms 13 ms 11 ms 192.168.173.93
5 15 ms 31 ms 15 ms 192.168.173.93
6 13 ms 13 ms 13 ms 192.168.173.93
7 21 ms 21 ms 21 ms 192.168.173.93
8 20 ms 19 ms 23 ms 192.168.173.93
9 21 ms 108 ms 74 ms 192.168.173.93
10 31 ms 31 ms 38 ms 192.168.173.93
11 37 ms 37 ms 37 ms 192.168.173.93
12 36 ms 39 ms 36 ms 192.168.173.93
13 37 ms 40 ms 37 ms 192.168.173.93
Trace complete.
其长度与直接运行的长度相似tracert:
C:\Work>tracert -d 1.2.3.4
Tracing route to 1.2.3.4 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.0.1.254
2 7 ms 8 ms 8 ms HOP-A
3 19 ms 11 ms 11 ms HOP-B
4 12 ms 11 ms 11 ms HOP-C
5 22 ms 14 ms 16 ms HOP-D
6 21 ms 21 ms 22 ms HOP-E
7 95 ms 59 ms 26 ms HOP-F
8 20 ms 21 ms 32 ms HOP-G
9 31 ms 30 ms 30 ms HOP-H
10 36 ms 36 ms 36 ms HOP-I
11 37 ms 36 ms 36 ms HOP-J
12 36 ms 36 ms 37 ms 1.2.3.4
Trace complete.
(10.0.1.254是本地网络上的主路由器。)
192.168.173.93因此,我在运行 tcpdump 时再次运行了跟踪路由10.0.1.4(为了便于阅读,我添加了换行符来显示每个跳跃对应的部分以及第一个中的三个 ping 的对应部分 tracert 多于。):
$ tcpdump -nni br0 -e icmp --no-promiscuous-mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:09:17.288490 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 34304, length 72
09:09:17.288554 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 134: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 100
----- ping -----
09:09:17.289002 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 34560, length 72
09:09:17.289070 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 134: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 100
----- ping -----
09:09:17.289520 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 34816, length 72
09:09:17.289589 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 134: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 100
09:09:18.297270 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 35072, length 72
09:09:18.297339 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 35072, length 72
09:09:18.297544 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 134: 10.0.1.254 > 10.0.1.4: ICMP time exceeded in-transit, length 100
09:09:18.297584 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 134: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 100
----- ping -----
09:09:18.298043 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 35328, length 72
09:09:18.298094 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 35328, length 72
09:09:18.298213 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 134: 10.0.1.254 > 10.0.1.4: ICMP time exceeded in-transit, length 100
09:09:18.298242 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 134: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 100
----- ping -----
09:09:18.298667 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 35584, length 72
09:09:18.298713 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 35584, length 72
09:09:18.298818 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 134: 10.0.1.254 > 10.0.1.4: ICMP time exceeded in-transit, length 100
09:09:18.298846 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 134: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 100
09:09:19.305326 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 35840, length 72
09:09:19.305389 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 35840, length 72
09:09:19.327923 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 70: HOP-A > 10.0.1.4: ICMP time exceeded in-transit, length 36
09:09:19.327967 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 70: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 36
----- ping -----
09:09:19.328407 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 36096, length 72
09:09:19.328457 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 36096, length 72
09:09:19.337999 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 70: HOP-A > 10.0.1.4: ICMP time exceeded in-transit, length 36
09:09:19.338041 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 70: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 36
----- ping -----
09:09:19.338521 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 36352, length 72
09:09:19.338567 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 36352, length 72
09:09:19.351300 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 70: HOP-A > 10.0.1.4: ICMP time exceeded in-transit, length 36
09:09:19.351343 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 70: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 36
09:09:20.344214 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 36608, length 72
09:09:20.344278 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 36608, length 72
09:09:20.355855 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-B > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:20.355898 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
----- ping -----
09:09:20.356847 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 36864, length 72
09:09:20.356871 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 36864, length 72
09:09:20.367650 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-B > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:20.367698 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
----- ping -----
09:09:20.368114 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 37120, length 72
09:09:20.368161 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 37120, length 72
09:09:20.379480 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-B > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:20.379526 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
09:09:21.375622 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 37376, length 72
09:09:21.375688 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 37376, length 72
09:09:21.388676 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-C > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:21.388720 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
----- ping -----
09:09:21.389293 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 37632, length 72
09:09:21.389330 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 37632, length 72
09:09:21.404654 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-C > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:21.404695 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
----- ping -----
09:09:21.405334 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 37888, length 72
09:09:21.405374 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 37888, length 72
09:09:21.416980 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-C > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:21.417018 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
09:09:22.412744 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 38144, length 72
09:09:22.412798 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 38144, length 72
09:09:22.426660 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-D > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:22.426704 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
----- ping -----
09:09:22.427382 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 38400, length 72
09:09:22.427438 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 38400, length 72
09:09:22.441656 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-D > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:22.441698 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
----- ping -----
09:09:22.442238 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 38656, length 72
09:09:22.442274 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 38656, length 72
09:09:22.455759 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-D > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:22.455802 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
09:09:23.456528 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 38912, length 72
09:09:23.456601 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 38912, length 72
09:09:23.478954 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-E > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:23.478997 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
----- ping -----
09:09:23.479470 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 39168, length 72
09:09:23.479519 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 39168, length 72
09:09:23.500600 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-E > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:23.500644 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
----- ping -----
09:09:23.501168 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 39424, length 72
09:09:23.501201 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 39424, length 72
09:09:23.522284 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-E > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:23.522335 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
09:09:24.509376 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 39680, length 72
09:09:24.509419 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 39680, length 72
09:09:24.529265 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 70: HOP-F > 10.0.1.4: ICMP time exceeded in-transit, length 36
09:09:24.529315 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 70: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 36
----- ping -----
09:09:24.529805 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 39936, length 72
09:09:24.529854 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 39936, length 72
09:09:24.549402 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 70: HOP-F > 10.0.1.4: ICMP time exceeded in-transit, length 36
09:09:24.549429 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 70: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 36
----- ping -----
09:09:24.549822 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 40192, length 72
09:09:24.549868 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 40192, length 72
09:09:24.570871 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 70: HOP-F > 10.0.1.4: ICMP time exceeded in-transit, length 36
09:09:24.570915 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 70: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 36
09:09:25.556159 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 40448, length 72
09:09:25.556226 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 40448, length 72
09:09:25.577631 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 182: HOP-G > 10.0.1.4: ICMP time exceeded in-transit, length 148
09:09:25.577675 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 182: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 148
----- ping -----
09:09:25.578113 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 40704, length 72
09:09:25.578162 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 40704, length 72
09:09:25.599536 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 182: HOP-G > 10.0.1.4: ICMP time exceeded in-transit, length 148
09:09:25.599582 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 182: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 148
----- ping -----
09:09:25.600110 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 40960, length 72
09:09:25.600144 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 40960, length 72
09:09:25.620280 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 182: HOP-G > 10.0.1.4: ICMP time exceeded in-transit, length 148
09:09:25.620322 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 182: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 148
09:09:26.608931 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 41216, length 72
09:09:26.608977 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 41216, length 72
09:09:26.642008 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 182: HOP-H > 10.0.1.4: ICMP time exceeded in-transit, length 148
09:09:26.642048 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 182: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 148
----- ping -----
09:09:26.642506 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 41472, length 72
09:09:26.642555 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 41472, length 72
09:09:26.675939 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 182: HOP-H > 10.0.1.4: ICMP time exceeded in-transit, length 148
09:09:26.675976 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 182: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 148
----- ping -----
09:09:26.676626 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 41728, length 72
09:09:26.676666 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 41728, length 72
09:09:26.707232 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 182: HOP-H > 10.0.1.4: ICMP time exceeded in-transit, length 148
09:09:26.707274 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 182: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 148
09:09:27.687132 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 41984, length 72
09:09:27.687170 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 41984, length 72
09:09:27.724543 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-I > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:27.724578 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
----- ping -----
09:09:27.725211 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 42240, length 72
09:09:27.725252 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 42240, length 72
09:09:27.762221 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-I > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:27.762265 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
----- ping -----
09:09:27.762704 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 42496, length 72
09:09:27.762753 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 42496, length 72
09:09:27.799409 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 110: HOP-I > 10.0.1.4: ICMP time exceeded in-transit, length 76
09:09:27.799434 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 110: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 76
09:09:28.770910 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 42752, length 72
09:09:28.770966 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 42752, length 72
09:09:28.808115 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 70: HOP-J > 10.0.1.4: ICMP time exceeded in-transit, length 36
09:09:28.808154 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 70: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 36
----- ping -----
09:09:28.808666 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 43008, length 72
09:09:28.808701 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 43008, length 72
09:09:28.845294 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 70: HOP-J > 10.0.1.4: ICMP time exceeded in-transit, length 36
09:09:28.845337 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 70: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 36
----- ping -----
09:09:28.845927 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 43264, length 72
09:09:28.845976 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 43264, length 72
09:09:28.882803 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 70: HOP-J > 10.0.1.4: ICMP time exceeded in-transit, length 36
09:09:28.882859 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 70: 192.168.173.93 > 10.0.1.8: ICMP time exceeded in-transit, length 36
09:09:29.854005 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 43520, length 72
09:09:29.854043 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 43520, length 72
09:09:29.890198 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 1.2.3.4 > 10.0.1.4: ICMP echo reply, id 512, seq 43520, length 72
09:09:29.890253 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 106: 192.168.173.93 > 10.0.1.8: ICMP echo reply, id 512, seq 43520, length 72
----- ping -----
09:09:29.890813 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 43776, length 72
09:09:29.890862 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 43776, length 72
09:09:29.927667 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 1.2.3.4 > 10.0.1.4: ICMP echo reply, id 512, seq 43776, length 72
09:09:29.927700 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 106: 192.168.173.93 > 10.0.1.8: ICMP echo reply, id 512, seq 43776, length 72
----- ping -----
09:09:29.928462 MAC_10.0.1.8_____ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 10.0.1.8 > 192.168.173.93: ICMP echo request, id 512, seq 44032, length 72
09:09:29.928503 MAC_10.0.1.4_eth0 > MAC_10.0.1.254___, ethertype IPv4 (0x0800), length 106: 10.0.1.4 > 1.2.3.4: ICMP echo request, id 512, seq 44032, length 72
09:09:29.964340 MAC_10.0.1.254___ > MAC_10.0.1.4_eth0, ethertype IPv4 (0x0800), length 106: 1.2.3.4 > 10.0.1.4: ICMP echo reply, id 512, seq 44032, length 72
09:09:29.964370 MAC_10.0.1.4_eth0 > MAC_10.0.1.8_____, ethertype IPv4 (0x0800), length 106: 192.168.173.93 > 10.0.1.8: ICMP echo reply, id 512, seq 44032, length 72
^C
150 packets captured
150 packets received by filter
0 packets dropped by kernel
所以在我看来,来自每一跳的响应都没有正确地返回10.0.1.8。
这是 iptables 的限制吗?还是我遗漏了与 conntrack/等相关的某些内容,从而导致跳数响应被视为相关?还是我遗漏了更好的方法?
更多信息:
10.0.1.4:
iptables v1.4.12
tcpdump version 4.6.2
libpcap version 1.6.2
答案1
我不是 100% 确定,但我相信这是一个功能,如果网络运行正常,你就不必担心它。
Traceroute 的工作原理是发送 TTL 不断增加的探测数据包并查找 ICMP 错误。除了用于 Traceroute 之外,ICMP 错误对于网络堆栈的正确运行也很重要,例如路径 MTU 发现依赖于 ICMP 错误。
为了使 ICMP 错误与导致错误的通信会话相匹配,它们包含导致错误的数据包的一部分。为了使与 NAT 连接相关的 ICMP 错误与导致错误的会话正确匹配,必须转换嵌入的部分数据包副本中的地址。
此外,NAT 经常用于私有网络和公共互联网之间的边界。如果带有私有源地址的数据包被路由到公共互联网,那么它们很可能会被入口过滤丢弃。
因此,我相信这里发生的事情是 iptables 正在改变 ICMP 错误数据包的源地址,以降低它们成为入口过滤的牺牲品的风险。
听起来你们两个在谈论转换 ICMP 数据包内的地址时的伪装?
ICMP 错误数据包通常包含四个 IP 地址,其中两个通常是相等的。
- 错误数据包的源地址(通常是发生错误的系统)。
- ICMP错误数据包的目标地址(等于导致错误的数据包的源地址)。
- 导致错误的数据包部分副本中的源地址。
- 导致错误的数据包部分副本中的目标地址。
当您通过 NAT 发送跟踪数据包时,源地址和目标地址会发生更改,并且 NAT 框会在其 NAT 映射表中为该连接创建一个条目*。
当 ICMP 错误到达 NAT 盒时,NAT 引擎将尝试将其与连接表进行匹配。如果匹配,则 NAT 引擎将对其执行转换。
NAT 需要映射嵌入数据包副本中的源和目标,以匹配客户端的期望。它还需要更改 ICMP 数据包的目标,以便将数据包传送到客户端。严格来说,它不需要更改 ICMP 数据包本身的源,但似乎无论如何它都会这样做。正如我上面所说,这最有可能降低错误被入口过滤器捕获的风险。
在您的网络中,我们有两个 NAT,一个单臂 NAT 执行重定向,另一个常规 NAT 位于您的网络和互联网之间。因此,流程看起来类似于。
- 客户端->单臂 NAT:10.0.1.8 > 192.168.173.93:ICMP 回显请求 ID 512,序列号 36096
- 单臂 nat->常规 NAT:10.0.1.4 > 1.2.3.4:ICMP 回显请求 ID 512,序列号 36096
- 常规 nat->internet:???.???.???.??? > 1.2.3.4:ICMP 回显请求 ID 512,序列号 36096
- 互联网->常规 NAT:HOP-A > ???.???.???.???:嵌入部分数据包副本的 ICMP 传输时间超出 ???.???.???.??? > 1.2.3.4:ICMP 回显请求 ID 512,序列号 36096
- 常规 NAT->单臂 NAT:HOP-A > 10.0.1.4:ICMP 传输时间超出,嵌入部分数据包副本 10.0.1.4 > 1.2.3.4:ICMP 回显请求 ID 512,序列号 36096
- 单臂 NAT->客户端:192.168.173.93 -> 10.0.1.8 ICMP 传输时间超出,嵌入部分数据包副本 10.0.1.8 > 192.168.173.93:ICMP 回显请求 ID 512,序列号 36096
* 是的,我知道 ICMP 查询严格来说没有连接,尽管如此,它们做在 NAT 跟踪表中创建条目。查询 ID 被有效地视为连接的源端口。Iptables NAT 默认使用端口保护策略,因此只有在需要消除歧义时才会更改查询 ID。