我在转发端口时遇到问题5060
在我的防火墙/路由器中连接到 FreeSWITCH 服务器。
我们的防火墙/路由器是 Uniquiti Edge Router X。服务器的本地 IP 是10.0.0.216
,路由器的10.0.0.1
。此外,我们在网络中还有一些其他 PC,比如说10.0.0.10
等。
假设我们的公共 IP 地址是。1.3.1.2
主机名example.com
指向1.3.1.2
。
当 udp id 正常工作时,使用 tcp 的端口上的所有流量5060
都会完全消失:
10.0.0.216 $ sudo netcat -l 5060
...
10.0.0.10 $ netcat 10.0.0.216 5060 # same using example.com instead of IP
test # does not appear at our destination host
...
10.0.0.216 $ netcat 10.0.0.216 5060 # even on local machine
test # does not appear in the other netcat
### Same for all other devices
10.0.0.10 $ sudo netcat -l 5060 # or even on any other machine in the network
...
10.0.0.10 $ netcat 10.0.0.216 5060
test # does not appear in the other netcat
### When using any other port
10.0.0.216 $ sudo netcat -l 5061 # for any other port it's working
...
external-device $ netcat example.com 5061
test # perfectly appears on our destination host
更令人困惑的是:甚至当地的端口上的 netcatlocalhost 5060
不工作,与主机无关。它既不在本地工作,10.0.0.216
也不在10.0.0.10
(或任何其他本地设备)上工作。iptables -F
不包含任何内容,也就是说,它和 ufw 一样被禁用...
✗ sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.18.0.0/16 0.0.0.0/0
MASQUERADE all -- 10.7.7.0/24 0.0.0.0/0
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
MASQUERADE tcp -- 172.18.0.2 172.18.0.2 tcp dpt:80
MASQUERADE tcp -- 10.7.7.10 10.7.7.10 tcp dpt:3008
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
DNAT tcp -- 0.0.0.0/0 10.7.7.1 tcp dpt:5000 to:172.18.0.2:80
DNAT tcp -- 0.0.0.0/0 127.0.0.1 tcp dpt:3008 to:10.7.7.10:3008
✗ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.18.0.2 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 10.7.7.10 tcp dpt:3008
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
✗ sudo tcpdump -iany -vvn -s0 port 5060
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
06:25:50.779745 IP (tos 0x0, ttl 64, id 16067, offset 0, flags [DF], proto TCP (6), length 60)
10.0.0.10.53806 > 10.0.0.216.5060: Flags [S], cksum 0xa89c (correct), seq 156110932, win 64240, options [mss 1460,sackOK,TS val 1675345422 ecr 0,nop,wscale 7], length 0
...
$ netcat 10.0.0.216 -v 5060
10.0.0.216 5060 (sip): Connection refused
如果使用其他端口代替5060
,例如5061
所有本地主机 netcat、内部网络 netcat 和外部 netcat工作。
怎么会这样?如何使端口 5060 在我的网络中工作?