代理服务仅在某些IP地址上响应(其他IP地址只响应SYN_RECV)
我有一个使用代理服务(WAF等)的服务器,它将数据包转发给我的服务器。
我可以看到来自所有代理netstat -an的已建立的SSL连接,其余的都停留在SYN_RECV中:
tcp 0 0 192.168.102.11:443 185.93.230.20:64966 SYN_RECV
tcp 0 0 192.168.102.11:443 192.88.135.20:8306 SYN_RECV
tcp 0 0 192.168.102.11:443 66.248.202.20:10750 SYN_RECV
tcp 0 0 192.168.102.11:443 185.93.230.20:2213 SYN_RECV
tcp 0 0 192.168.102.11:443 66.248.202.20:7494 SYN_RECV
tcp 0 0 192.168.102.11:443 185.93.231.20:32752 ESTABLISHED
tcp 0 0 192.168.102.11:443 185.93.231.20:31910 ESTABLISHED我可以看到交通命中tcpdump port 443 and '(tcp-syn|tcp-ack)!=0' -nn:
对于185.93.231.20.2139
20:36:35.263777 IP 192.168.102.11.443 > 185.93.231.20.2139: Flags [FP.], seq 203642186:203642217, ack 1968471817, win 258, options [nop,nop,TS val 32827456 ecr 876705214], length 31
20:36:36.901357 IP 192.168.102.11.443 > 185.93.231.20.2137: Flags [P.], seq 418165034:418165065, ack 2875697257, win 258, options [nop,nop,TS val 32829093 ecr 876704135], length 31对于185.93.230.20
20:36:49.098560 IP 185.93.230.20.20721 > 192.168.102.11.443: Flags [S], seq 2855805773, win 29200, options [mss 1460,sackOK,TS val 882921029 ecr 0,nop,wscale 9], length 0
20:36:49.098638 IP 192.168.102.11.443 > 185.93.230.20.20721: Flags [S.], seq 268496949, ack 2855805774, win 28960, options [mss 1460,sackOK,TS val 32841290 ecr 882921029,nop,wscale 7], length 0对于66.248.202.20:
20:37:02.042048 IP 66.248.202.20.49557 > 192.168.102.11.443: Flags [S], seq 3837436386, win 29200, options [mss 1460,sackOK,TS val 791596242 ecr 0,nop,wscale 9], length 0
20:37:02.042116 IP 192.168.102.11.443 > 66.248.202.20.49557: Flags [S.], seq 2339555392, ack 3837436387, win 28960, options [mss 1460,sackOK,TS val 32854234 ecr 791596242,nop,wscale 7], length 0对于192.88.135.20:
20:36:39.595087 IP 185.93.228.20.23354 > 192.168.102.11.443: Flags [S], seq 1334433323, win 29200, options [mss 1460,sackOK,TS val 274977072 ecr 0,nop,wscale 9], length 0
20:36:39.595120 IP 192.168.102.11.443 > 185.93.228.20.23354: Flags [S.], seq 1203016390, ack 1334433324, win 28960, options [mss 1460,sackOK,TS val 32831787 ecr 274970056,nop,wscale 7], length 但是只有来自185.93.231.20的流量才会被登录到domlog中:
185.93.231.20 - - [22/May/2020:19:55:37 +0400] "GET /blog/video-gallery/ HTTP/1.1" 200 12716 "https://www.example.com/blog/publications/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" 747893
185.93.231.20 - - [22/May/2020:19:55:39 +0400] "GET /wp-content/uploads/2020/02/Thumbnail72.jpg HTTP/1.1" 200 181941 "https://www.example.com/blog/video-gallery/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" 1283052
185.93.231.20 - - [22/May/2020:19:55:39 +0400] "GET /wp-content/uploads/2020/02/Thumbnail68.jpg HTTP/1.1" 200 180934 "https://www.example.com/blog/video-gallery/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0" 952373知道下一步该检查什么吗?我已经禁用了所有防火墙规则,并确保NAT在WAN和主机之间正确工作(入站和出站)-没有发生配置更改,这只是停止工作。
回答 1
Server Fault用户
发布于 2020-05-23 13:38:14
这是一个不对称的路由问题,因为数据包可以到达服务器,但是网络无法返回它们(因为路由失败)。
netstat,部分连接卡在SYN_RECV和tcpdump中,并返回其标志:
- 从远程服务器到我们的
[S]入站以SYN建立连接 [S.]回复我们到远程服务器以SYN+ACK建立连接请求
从远程服务器发出的以下SYN请求在服务器上标识了这一点:
20:36:49.098560 IP 185.93.230.20.20721 > 192.168.102.11.443: Flags [S], seq 2855805773, win 29200, options [mss 1460,sackOK,TS val 882921029 ecr 0,nop,wscale 9], length 0使插座处于半开状态:
tcp 0 0 192.168.102.11:443 185.93.230.20:64966 SYN_RECV然后我们响应(注意S.的标志,意思是SYN+ACK):
20:36:49.098638 IP 192.168.102.11.443 > 185.93.230.20.20721: Flags [S.], seq 268496949, ack 2855805774, win 28960, options [mss 1460,sackOK,TS val 32841290 ecr 882921029,nop,wscale 7], length 0但是这永远不会到达远程服务器,因此它也不会以更多的数据包进行响应,这些数据包将完成握手并将套接字设置为ESTABLISHED。
这已由ISP和相关计数器方解决,以解决路由问题。
这也可能意味着防火墙丢弃数据包或错误配置NAT规则,这些都被排除在与ISP接触之前。
https://serverfault.com/questions/1018268
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号