服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 启用ICMPredirect时,TCP握手失败
Intereting Posts
11G / 40G使用率达到100%,怎么可能? 与PCI直通有关的ESXi 6.5服务器(无vSphere)sched.mem.min错误 如何将正在运行的虚拟机从一个虚拟机pipe理程序迁移到另一个? 我能限制我的autoSSH隧道速度涓stream和SSHconfiguration文件选项? 在CentOS上使用systemd-journal 219的CPU使用率较高 机架式机箱,用于Alix2d3 无法find用户'avahi' 无法获得nginxcaching的工作 什么是删除旧的configuration文件造成的附带损害? 设置Vista商业作为networking服务器? 将configuration部署到GCE上的Kubernetes窗格 DNSMasq不parsing公共域名上的不可路由的IP Amazon EC2竞价型实例是否仅在偶数小时间隔内终止? 只有一个IP规则正在实施 通过ssh与目录中的空白空间协调一致

启用ICMPredirect时,TCP握手失败

所以看来,由于ICMPredirect,无法连接到VPN连接后面的服务器。 它立即回应一个TCP RST(在ssh_exchange_identification中读取:由对等体重置的连接)

我不完全确定如何发生,但这里是我的tcpdumps:

一旦启用了ICMPredirect: 

08:28:31.457633 IP 10.21.0.100.55581 > 10.23.0.252.ssh: Flags [S], seq 4178119826, win 65535, options [mss 1368,nop,wscale 5,nop,nop,TS val 1170489744 ecr 0,sackOK,eol], length 0 08:28:31.457664 IP 10.23.0.252.ssh > 10.21.0.100.55581: Flags [S.], seq 2261371426, ack 4178119827, win 28960, options [mss 1460,sackOK,TS val 170122525 ecr 1170489744,nop,wscale 7], length 0 08:28:31.457781 IP 10.23.0.254 > 10.23.0.252: ICMP redirect 10.21.0.100 to host 10.23.0.253, length 68 08:28:31.522974 IP 10.21.0.100.55581 > 10.23.0.252.ssh: Flags [.], ack 1, win 4110, options [nop,nop,TS val 1170489811 ecr 170122525], length 0 08:28:31.522997 IP 10.23.0.252.ssh > 10.21.0.100.55581: Flags [R], seq 2261371427, win 0, length 0 08:28:31.523018 IP 10.23.0.254 > 10.23.0.252: ICMP redirect 10.21.0.100 to host 10.23.0.253, length 48 08:28:31.523063 IP 10.21.0.100.55581 > 10.23.0.252.ssh: Flags [P.], seq 1:131, ack 1, win 4110, options [nop,nop,TS val 1170489811 ecr 170122525], length 130 08:28:31.523071 IP 10.23.0.252.ssh > 10.21.0.100.55581: Flags [R], seq 2261371427, win 0, length 0

一旦ICMPredirect被禁用: 

 08:30:18.447818 IP 10.21.0.100.55586 > 10.23.0.252.ssh: Flags [S], seq 2605722136, win 65535, options [mss 1368,nop,wscale 5,nop,nop,TS val 1170596110 ecr 0,sackOK,eol], length 0 08:30:18.447845 IP 10.23.0.252.ssh > 10.21.0.100.55586: Flags [S.], seq 1627107751, ack 2605722137, win 28960, options [mss 1460,sackOK,TS val 170229515 ecr 1170596110,nop,wscale 7], length 0 08:30:18.513281 IP 10.21.0.100.55586 > 10.23.0.252.ssh: Flags [.], ack 1, win 4110, options [nop,nop,TS val 1170596173 ecr 170229515], length 0 08:30:18.513350 IP 10.21.0.100.55586 > 10.23.0.252.ssh: Flags [P.], seq 1:131, ack 1, win 4110, options [nop,nop,TS val 1170596173 ecr 170229515], length 130 08:30:18.513362 IP 10.23.0.252.ssh > 10.21.0.100.55586: Flags [.], ack 131, win 235, options [nop,nop,TS val 170229580 ecr 1170596173], length 0 08:30:18.517656 IP 10.23.0.252.ssh > 10.21.0.100.55586: Flags [P.], seq 1:24, ack 131, win 235, options [nop,nop,TS val 170229585 ecr 1170596173], length 23 08:30:18.517754 IP 10.23.0.252.ssh > 10.21.0.100.55586: Flags [R.], seq 24, ack 131, win 235, options [nop,nop,TS val 170229585 ecr 1170596173], length 0 08:30:18.580153 IP 10.21.0.100.55586 > 10.23.0.252.ssh: Flags [.], ack 24, win 4109, options [nop,nop,TS val 1170596240 ecr 170229585], length 0 08:30:18.580174 IP 10.23.0.252.ssh > 10.21.0.100.55586: Flags [R], seq 1627107775, win 0, length 0

networking看起来像这样: 

 10.23.0.252 (Target ) ---|--- 10.23.0.254 (Gateway) ---|--- Internet -- | 10.23.0.253 (VPN Host) ---| | | | | 10.21.0.100 (Source ) ---|--- 10.21.0.254 (Gateway) ---|--- Internet -- | 10.21.0.253 (VPN Host) ---|

网关具有路由: 

 10.21.0.0/24 via 10.23.0.253

目标内核: 

 Linux pl-unifi 4.4.1-1.el7.elrepo.x86_64 #1 SMP Sun Jan 31 16:49:23 EST 2016 x86_64 x86_64 x86_64 GNU/Linux

实际上,我希望内部networking中的主机直接将请求发送到VPN服务器,但我不能将这些路由部署到每个主机。 我相信ICMPredirect是正确的方法。

有没有人有一个想法,为什么会发生?