服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 转发udp端口的iptables包“丢失”?
Intereting Posts
Watchguard SSL VPN和Outlook 2010 不能存档私钥 VPN连接失败时使用SSH validationApache不处理代理请求 NTFS权限使用PowerShell进行审计 无法在GCE上获得外部静态IP以连接到实例上的Docker容器 openldap连接不足 关于select标准或可持续降低文件存储空间的build议Google云端存储包 RAW格式的Proxmox VE逻辑卷? AIX sedparsing错误0602-404,但与Linux的sed? Nagios – 服务检查所有,但在工作时间通知一些 如何build立一个容错的Windows文件共享? 如何通过局域网共享桌面给多个观众 百胜报道更新的bash,但二进制仍然报告旧版本 UseLogin的任何问题是? /(没有系统信息安全的解决方法?)

转发udp端口的iptables包“丢失”?

我有一个Linux路由器(Debian 6.x),我转发一些端口到内部服务。 一些TCP端口(如80,22 …)都可以。

我有一个应用程序监听端口54277udp。 没有回报来自这个应用程序,我只有在这个端口上的数据。

路由器: 

cat /proc/sys/net/ipv4/conf/all/rp_filter = 1 cat /proc/sys/net/ipv4/conf/eth0/forwarding = 1 cat /proc/sys/net/ipv4/conf/ppp0/forwarding = 1 $IPTABLES -t nat -I PREROUTING -p udp -i ppp0 --dport 54277 -j DNAT --to-destination $SRV_IP:54277 $IPTABLES -I FORWARD -p udp -d $SRV_IP --dport 54277 -j ACCEPT

此外MASQUERADING内部stream量ppp0(互联网)是积极和工作。

默认策略INPUT&OUTPUT&FORWARD是DROP

奇怪的是,当我这样做的时候: 

 tcpdump -p -vvvv -i ppp0 port 54277

我得到了很多的stream量: 

 18:35:43.646133 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57) source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29 18:35:43.652301 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57) source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29 18:35:43.653324 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57) source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29 18:35:43.655795 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57) source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29 18:35:43.656727 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57) source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29 18:35:43.659719 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57) source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29

tcpdump -p -i eth0 port 54277 (在同一台机器上,路由器),我得到的stream量less得多。

也在目的地$SRV_IP只有less数包进来,但不是全部。

内部服务器: 

 19:15:30.039663 IP source.ip.52394 > 192.168.215.4.54277: UDP, length 16 19:15:30.276112 IP source.ip.52394 > 192.168.215.4.54277: UDP, length 16 19:15:30.726048 IP source.ip.52394 > 192.168.215.4.54277: UDP, length 16

所以一些udp端口被“忽略/丢弃”?

任何想法可能是错的?

编辑:

这很奇怪:Forward规则有数据包,但是PREROUTING规则有0个数据包… 

 iptables -nvL -t filter |grep 54277 Chain FORWARD (policy DROP 0 packets, 0 bytes) 168 8401 ACCEPT udp -- * * 0.0.0.0/0 192.168.215.4 state NEW,RELATED,ESTABLISHED udp dpt:54277 iptables -nvL -t nat |grep 54277 Chain PREROUTING (policy ACCEPT 405 packets, 24360 bytes) 0 0 DNAT udp -- ppp0 * 0.0.0.0/0 my.external.ip udp dpt:54277 state NEW,RELATED,ESTABLISHED to:192.168.215.4

EDIT2: 

 Chain PREROUTING (policy ACCEPT 102K packets, 6148K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT udp -- ppp0 * 0.0.0.0/0 external.ip udp dpt:54277 state NEW,RELATED,ESTABLISHED to:192.168.215.4 1191 71460 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:192.168.215.4 3119 187K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.215.3 +some other tcp forward rules Chain POSTROUTING (policy ACCEPT 4626 packets, 294K bytes) pkts bytes target prot opt in out source destination 2343 145K MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 1529 packets, 111K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 574K 33M PSAD_BLOCK_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 4511K 257M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:54277 559 30745 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:17784 0 0 DROP all -- * * 192.168.215.30 0.0.0.0/0 16 3355 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:43 dpts:1024:65535 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:45000 1 40 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set netdrop src 0 0 LOG all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set netdrop src LOG flags 0 level 4 prefix `IPSET' 403 35523 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- ppp0 * 10.0.0.0/8 0.0.0.0/0 0 0 DROP all -- ppp0 * 172.16.0.0/16 0.0.0.0/0 0 0 DROP all -- ppp0 * 192.168.0.0/24 0.0.0.0/0 0 0 DROP all -- ppp0 * 224.0.0.0/4 0.0.0.0/0 0 0 DROP all -- ppp0 * 240.0.0.0/5 0.0.0.0/0 0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `Drop-Syn' 0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW 0 0 LOG all -f ppp0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `Fragments-Packets' 0 0 DROP all -f ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F 0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `NULL-Packets' 0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 2 96 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `XMAS-Packets' 0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `Fin-Packets-Scan' 0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01 0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37 0 0 LOG all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set ipdrop src LOG flags 0 level 4 prefix `IPSET:' 0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set ipdrop src 0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state RELATED,ESTABLISHED 1445 121K ACCEPT icmp -- eth0 * 192.168.215.0/24 192.168.215.254 icmp type 8 state NEW,ESTABLISHED 0 0 ACCEPT tcp -- eth0 * 192.168.215.0/24 192.168.215.254 tcp dpt:80 state NEW,ESTABLISHED 0 0 ACCEPT udp -- eth0 * 192.168.215.0/24 192.168.215.254 udp dpt:161 state NEW,ESTABLISHED 1479 94070 ACCEPT tcp -- eth0 * 192.168.215.0/24 192.168.215.254 tcp dpt:22 state NEW,ESTABLISHED 2220 265K ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:43 state RELATED,ESTABLISHED 21337 1229K ACCEPT all -- eth0 * 192.168.215.0/24 192.168.215.254 0 0 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:17500 1118 60931 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3483 818 78992 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 1 343 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 69 4968 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:427 2 200 DROP icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmp type 3 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:4321 state RELATED,ESTABLISHED 31820 1815K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `DROP' 31820 1815K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 38943 2546K PSAD_BLOCK_FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.215.3 tcp dpt:80 2790 471K ACCEPT tcp -- * * 0.0.0.0/0 192.168.215.4 tcp spt:22 89446 4359K ACCEPT udp -- * * 0.0.0.0/0 192.168.215.4 state NEW,RELATED,ESTABLISHED udp dpt:54277 122K 7500K ACCEPT all -- eth0 ppp0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 123K 11M ACCEPT all -- ppp0 eth0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:981 state NEW,RELATED,ESTABLISHED 0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 state NEW,RELATED,ESTABLISHED 0 0 DROP all -- ppp0 ppp0 0.0.0.0/0 0.0.0.0/0 3 120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `DROP' 3 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 7684 919K PSAD_BLOCK_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:54277 33594 2855K ACCEPT icmp -- * ppp0 own.ext.ip 0.0.0.0/0 icmp type 3 403 35523 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * ppp0 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED 1445 121K ACCEPT icmp -- * eth0 192.168.215.254 192.168.215.0/24 icmp type 0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * eth0 192.168.215.254 192.168.215.0/24 tcp spt:80 state RELATED,ESTABLISHED 0 0 ACCEPT udp -- * eth0 192.168.215.254 192.168.215.0/24 udp spt:161 state RELATED,ESTABLISHED 1904 789K ACCEPT tcp -- * eth0 192.168.215.254 192.168.215.0/24 tcp spt:22 state RELATED,ESTABLISHED 2780 174K ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED 0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED 0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW,ESTABLISHED 16 896 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:43 state NEW,ESTABLISHED 53234 13M ACCEPT all -- * eth0 192.168.215.254 192.168.215.0/24 0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:4321 state NEW,ESTABLISHED 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `DROP' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain PSAD_BLOCK_FORWARD (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 121.30.234.78 0 0 DROP all -- * * 121.30.234.78 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 118.70.170.83 0 0 DROP all -- * * 118.70.170.83 0.0.0.0/0 Chain PSAD_BLOCK_INPUT (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 121.30.234.78 0.0.0.0/0 0 0 DROP all -- * * 118.70.170.83 0.0.0.0/0 Chain PSAD_BLOCK_OUTPUT (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 121.30.234.78 0 0 DROP all -- * * 0.0.0.0/0 118.70.170.83