端口 5060 上的所有流量在整个网络中丢失

端口 5060 上的所有流量在整个网络中丢失

我在转发端口时遇到问题5060在我的防火墙/路由器中连接到 FreeSWITCH 服务器。

我们的防火墙/路由器是 Uniquiti Edge Router X。服务器的本地 IP 是10.0.0.216,路由器的10.0.0.1。此外,我们在网络中还有一些其他 PC,比如说10.0.0.10等。

假设我们的公共 IP 地址是。1.3.1.2主机名example.com指向1.3.1.2

当 udp id 正常工作时,使用 tcp 的端口上的所有流量5060都会完全消失:

10.0.0.216 $ sudo netcat -l 5060
...
10.0.0.10 $ netcat 10.0.0.216 5060 # same using example.com instead of IP
test # does not appear at our destination host
...
10.0.0.216 $ netcat 10.0.0.216 5060 # even on local machine
test # does not appear in the other netcat


### Same for all other devices

10.0.0.10 $ sudo netcat -l 5060 # or even on any other machine in the network
...
10.0.0.10 $ netcat 10.0.0.216 5060
test # does not appear in the other netcat

### When using any other port

10.0.0.216 $ sudo netcat -l 5061 # for any other port it's working
...
external-device $ netcat example.com 5061
test # perfectly appears on our destination host

更令人困惑的是:甚至当地的端口上的 netcatlocalhost 5060不工作,与主机无关。它既不在本地工作,10.0.0.216也不在10.0.0.10(或任何其他本地设备)上工作。iptables -F不包含任何内容,也就是说,它和 ufw 一样被禁用...

✗ sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.18.0.0/16        0.0.0.0/0           
MASQUERADE  all  --  10.7.7.0/24          0.0.0.0/0           
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
MASQUERADE  tcp  --  172.18.0.2           172.18.0.2           tcp dpt:80
MASQUERADE  tcp  --  10.7.7.10            10.7.7.10            tcp dpt:3008

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
DNAT       tcp  --  0.0.0.0/0            10.7.7.1             tcp dpt:5000 to:172.18.0.2:80
DNAT       tcp  --  0.0.0.0/0            127.0.0.1            tcp dpt:3008 to:10.7.7.10:3008

✗ sudo iptables -L -n       
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (3 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.18.0.2           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            10.7.7.10            tcp dpt:3008

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

✗ sudo tcpdump -iany -vvn -s0 port 5060
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
06:25:50.779745 IP (tos 0x0, ttl 64, id 16067, offset 0, flags [DF], proto TCP (6), length 60)
    10.0.0.10.53806 > 10.0.0.216.5060: Flags [S], cksum 0xa89c (correct), seq 156110932, win 64240, options [mss 1460,sackOK,TS val 1675345422 ecr 0,nop,wscale 7], length 0

...

$ netcat 10.0.0.216 -v 5060
10.0.0.216 5060 (sip): Connection refused

如果使用其他端口代替5060,例如5061所有本地主机 netcat、内部网络 netcat 和外部 netcat工作

怎么会这样?如何使端口 5060 在我的网络中工作?

相关内容