UDP 数据包在内部接收但未在外部接收 - Ubuntu 18.04

tag-icon tag-icon iptables udp ufw
UDP 数据包在内部接收但未在外部接收 - Ubuntu 18.04

提前感谢您看这个问题...我相信解决方案很简单 - 只是我不知道它是什么。

在同一台服务器上运行nc -l -u 9090ANDnc -uv 82.165.109.4 9090命令,建立 netcat 类型的“连接”,并按预期接收消息。

正在运行的 docker 应用程序也接收数据包,因此看起来内部环境已设置正确。

echo -p "hello" >/dev/udp/82.165.109.4/9090

tcpdump并被应用程序接收。

我正在使用以下方式监控数据包的接收情况:

tcpdump -i any udp -AXn port 9090
  • 如果我从盒子外面发送一个 UDP 数据包,它无法到达tcpdump
  • 我无法从外部 ping 该服务器,但可以从内部 ping 该服务器。
  • 该端口似乎已打开并正在监听。
  • ssh、http 和 https 端口均按预期运行。
netstat -ltu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:5984            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:9070            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN     
tcp        0      0 localhost:domain        0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:https           0.0.0.0:*               LISTEN     
tcp6       0      0 [::]:5984               [::]:*                  LISTEN     
tcp6       0      0 [::]:9070               [::]:*                  LISTEN     
tcp6       0      0 [::]:http               [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 [::]:https              [::]:*                  LISTEN     
udp        0      0 localhost:domain        0.0.0.0:*                          
udp        0      0 0.0.0.0:bootpc          0.0.0.0:*                          
udp        0      0 0.0.0.0:9090            0.0.0.0:*                          
udp6       0      0 [::]:9090               [::]:*

我读到的所有内容都指向iptables防火墙,所以我禁用了ufw


iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             172.18.0.3           udp dpt:9090
ACCEPT     tcp  --  anywhere             172.18.0.6           tcp dpt:9080
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.18.0.5           tcp dpt:5984
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

NAT设置如下:


iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 235 packets, 28704 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  163  9840 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 205 packets, 26904 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 72 packets, 5351 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   121 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 108 packets, 7416 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   240 MASQUERADE  all  --  *      !br-a371a521a463  172.18.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  udp  --  *      *       172.18.0.3           172.18.0.3           udp dpt:9090
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.6           172.18.0.6           tcp dpt:9080
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.2           172.18.0.2           tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.5           172.18.0.5           tcp dpt:5984
    0     0 MASQUERADE  tcp  --  *      *       172.18.0.2           172.18.0.2           tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   120 RETURN     all  --  br-a371a521a463 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    1    37 DNAT       udp  --  !br-a371a521a463 *       0.0.0.0/0            0.0.0.0/0            udp dpt:9090 to:172.18.0.3:9090
    0     0 DNAT       tcp  --  !br-a371a521a463 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9070 to:172.18.0.6:9080
    4   220 DNAT       tcp  --  !br-a371a521a463 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.18.0.2:443
    0     0 DNAT       tcp  --  !br-a371a521a463 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5984 to:172.18.0.5:5984
    5   248 DNAT       tcp  --  !br-a371a521a463 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.18.0.2:80

如果启用了 UFW,则状态为:

ufw status verbose
Status: active
Logging: on (high)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                  
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
993                        ALLOW IN    Anywhere                  
995                        ALLOW IN    Anywhere                  
9090/udp                   ALLOW IN    Anywhere                  
520/udp                    ALLOW IN    Anywhere                  
22/tcp (v6)                ALLOW IN    Anywhere (v6)             
80/tcp (v6)                ALLOW IN    Anywhere (v6)             
443/tcp (v6)               ALLOW IN    Anywhere (v6)             
993 (v6)                   ALLOW IN    Anywhere (v6)             
995 (v6)                   ALLOW IN    Anywhere (v6)             
9090/udp (v6)              ALLOW IN    Anywhere (v6)             
520/udp (v6)               ALLOW IN    Anywhere (v6)             

9090/udp                   ALLOW FWD   Anywhere                  
9090/udp (v6)              ALLOW FWD   Anywhere (v6)

我已经尝试了很多 - 但其中一些更重要的是;

  • 刷新 iptables 没有效果
  • 通过 tcpdump 从外部盒子监控 UDP 发送情况(已记录)
  • 监控所有端口和详细日志记录(无变化)
  • 开启 ip_forwarding
sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1

其他说明:

  • 使用“云”服务器,因此是虚拟机。
  • 我找不到任何 ufw 日志/etc/ufw/

相关内容