SNAT/Masquerade 偶尔不会修改源 IP

tag-icon tag-icon iptables nat
SNAT/Masquerade 偶尔不会修改源 IP

我们在 POSTROUTING 链中的网关中执行 SNAT。但我们发现,有时源 IP 没有被修改。数据包将使用内部 IP 发出。我们使用 IP 表版本 - 1.6.2 Linux 内核版本 - 4.14.78

以下是的输出iptables-save -c

# Generated by iptables-save v1.8.7 on Fri Apr 2 14:48:00 2021
*nat
:PREROUTING ACCEPT [4063:381303]
:INPUT ACCEPT [2441:203832]
:OUTPUT ACCEPT [2871:229200]
:POSTROUTING ACCEPT [226:16504]
[3608:318784] -A POSTROUTING -o wwan0 -j MASQUERADE
COMMIT
# Completed on Fri Apr 2 14:48:00 2021
# Generated by iptables-save v1.8.7 on Fri Apr 2 14:48:00 2021
*filter
:INPUT ACCEPT [23264:3684627]
:FORWARD ACCEPT [164478:152807892]
:OUTPUT ACCEPT [53990:65694281]
[483:68408] -A INPUT -i lan3 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 80 -j DROP
[447:23510] -A FORWARD -i wwan0 -o lan1 -j DROP
[543:31927] -A FORWARD -i wwan0 -o lan2 -j DROP
[35:2083] -A FORWARD -i wwan0 -o lan3 -j DROP
[0:0] -A FORWARD -i wwan0 -o lan4 -j DROP
COMMIT
# Completed on Fri Apr 2 14:48:00 2021

wwan0是默认网关。

如何解决这个问题?

TCP 转储快照。突出显示了内部 IP(172.16..)。转换后的 IP 为100.86.203.169。我们可以发现几个 NAT 正确发生。每隔 10 到 15 分钟,我们发现几个源 IP 条目未转换。之前有对同一 IP 的交易,IP 转换是正确的。

17:13:51.939700 IP 100.86.203.169.47554 > 135.sub-198-224-172.myvzw.com.domain: 64282+ AAAA? connectivitycheck.gstatic.com. (47)
17:13:52.033482 IP 135.sub-198-224-172.myvzw.com.domain > 100.86.203.169.47554: 63258 1/0/0 A 172.217.11.163 (63)
17:13:52.033598 IP 100.86.203.169.hostmon > 224.0.0.252.hostmon: UDP, length 27
17:13:52.042355 IP 135.sub-198-224-172.myvzw.com.domain > 100.86.203.169.47554: 64282 1/0/0 AAAA 2607:f8b0:4007:804::2003 (75)
17:13:52.043389 IP 100.86.203.169 > lax28s15-in-f3.1e100.net: ICMP echo request, id 34628, seq 0, length 64
17:13:52.132848 IP lax28s15-in-f3.1e100.net > 100.86.203.169: ICMP echo reply, id 34628, seq 0, length 64
17:13:52.237290 IP **172.16.9.59.63478** > lax31s14-in-f14.1e100.net.443: UDP, length 1350
17:13:52.366892 IP 100.86.203.169.hostmon > 224.0.0.252.hostmon: UDP, length 27
17:13:52.416431 IP **172.16.9.68.45839** > lax17s14-in-f14.1e100.net.https: Flags [F.], seq 1838160668, ack 751548505, win 373, options [nop,nop,TS val 31214649 ecr 2926508259], length 0
17:13:52.419421 IP **172.16.9.68.45840** > lax17s14-in-f14.1e100.net.https: Flags [F.], seq 3938547017, ack 4273274368, win 373, options [nop,nop,TS

相关内容