主机不为透明代理发送ACK-SYN数据包
主机不为透明代理发送ACK-SYN数据包
提问于 2014-04-03 11:53:12
我正在使用haproxy设置一个透明的代理,安装不需要‘Source0.0.0.0 usesrc客户端’行。当我添加该行时,端点将从原始客户端的ip地址调用,tcpdump显示数据包到达目标主机,但它们似乎没有被处理或响应,最终请求超时。
Broken Tcp Dump Log (Taken from target backend server):
13:36:33.782686 IP 10.3.0.92.56177 > 192.168.0.5.80: Flags [S], seq 2733860398, win 14600, options [mss 1460,sackOK,TS val 2090146 ecr 0,nop,wscale 5], length 0
13:36:34.808390 IP 10.3.0.92.56177 > 192.168.0.5.80: Flags [S], seq 2733860398, win 14600, options [mss 1460,sackOK,TS val 2091146 ecr 0,nop,wscale 5], length 0
13:36:35.600765 IP 10.3.0.92.56185 > 192.168.0.5.80: Flags [S], seq 1518413688, win 14600, options [mss 1460,sackOK,TS val 2091930 ecr 0,nop,wscale 5], length 0
13:36:36.623120 IP 10.3.0.92.56185 > 192.168.0.5.80: Flags [S], seq 1518413688, win 14600, options [mss 1460,sackOK,TS val 2092930 ecr 0,nop,wscale 5], length 0
13:36:36.840211 IP 10.3.0.92.56177 > 192.168.0.5.80: Flags [S], seq 2733860398, win 14600, options [mss 1460,sackOK,TS val 2093146 ecr 0,nop,wscale 5], length 0
13:36:38.665777 IP 10.3.0.92.56185 > 192.168.0.5.80: Flags [S], seq 1518413688, win 14600, options [mss 1460,sackOK,TS val 2094930 ecr 0,nop,wscale 5], length 0
13:36:39.603892 IP 10.3.0.92.56185 > 192.168.0.5.80: Flags [S], seq 1580967374, win 14600, options [mss 1460,sackOK,TS val 2095842 ecr 0,nop,wscale 5], length 0
13:36:40.653243 IP 10.3.0.92.56185 > 192.168.0.5.80: Flags [S], seq 1580967374, win 14600, options [mss 1460,sackOK,TS val 2096842 ecr 0,nop,wscale 5], length 0
13:36:42.742138 IP 10.3.0.92.56185 > 192.168.0.5.80: Flags [S], seq 1580967374, win 14600, options [mss 1460,sackOK,TS val 2098842 ecr 0,nop,wscale 5], length 0
13:36:43.606977 IP 10.3.0.92.56185 > 192.168.0.5.80: Flags [S], seq 1643514971, win 14600, options [mss 1460,sackOK,TS val 2099693 ecr 0,nop,wscale 5], length 0
13:36:44.624129 IP 10.3.0.92.56185 > 192.168.0.5.80: Flags [S], seq 1643514971, win 14600, options [mss 1460,sackOK,TS val 2100693 ecr 0,nop,wscale 5], length 0
13:36:46.653801 IP 10.3.0.92.56185 > 192.168.0.5.80: Flags [S], seq 1643514971, win 14600, options [mss 1460,sackOK,TS val 2102693 ecr 0,nop,wscale 5], length 0
13:36:47.610193 IP 10.3.0.92.56185 > 192.168.0.5.80: Flags [S], seq 1706062128, win 14600, options [mss 1460,sackOK,TS val 2103607 ecr 0,nop,wscale 5], length 0
13:36:48.630226 IP 10.3.0.92.56185 > 192.168.0.5.80: Flags [S], seq 1706062128, win 14600, options [mss 1460,sackOK,TS val 2104607 ecr 0,nop,wscale 5], length 0
13:36:50.665869 IP 10.3.0.92.56185 > 192.168.0.5.80: Flags [S], seq 1706062128, win 14600, options [mss 1460,sackOK,TS val 2106607 ecr 0,nop,wscale 5], length 0
Working Tcp Dump log (Taken from target backend server):
13:37:34.519616 IP 192.168.0.1.55694 > 192.168.0.5.80: Flags [S], seq 926283285, win 14600, options [mss 1460,sackOK,TS val 2149599 ecr 0,nop,wscale 5], length 0
13:37:34.520083 IP 192.168.0.5.80 > 192.168.0.1.55694: Flags [S.], seq 3779931433, ack 926283286, win 14480, options [mss 1460,sackOK,TS val 2354335 ecr 2149599,nop,wscale 6], length 0
13:37:34.520931 IP 192.168.0.1.55694 > 192.168.0.5.80: Flags [.], ack 1, win 457, options [nop,nop,TS val 2149600 ecr 2354335], length 0
13:37:34.520973 IP 192.168.0.1.55694 > 192.168.0.5.80: Flags [P.], seq 1:365, ack 1, win 457, options [nop,nop,TS val 2149600 ecr 2354335], length 364
13:37:34.520985 IP 192.168.0.5.80 > 192.168.0.1.55694: Flags [.], ack 365, win 243, options [nop,nop,TS val 2354336 ecr 2149600], length 0
13:37:34.521188 IP 192.168.0.5.80 > 192.168.0.1.55694: Flags [P.], seq 1:238, ack 365, win 243, options [nop,nop,TS val 2354336 ecr 2149600], length 237
13:37:34.521718 IP 192.168.0.1.55694 > 192.168.0.5.80: Flags [.], ack 238, win 490, options [nop,nop,TS val 2149601 ecr 2354336], length 0
13:37:34.521735 IP 192.168.0.5.80 > 192.168.0.1.55694: Flags [P.], seq 238:850, ack 365, win 243, options [nop,nop,TS val 2354336 ecr 2149601], length 612
13:37:34.522295 IP 192.168.0.1.55694 > 192.168.0.5.80: Flags [.], ack 850, win 528, options [nop,nop,TS val 2149601 ecr 2354336], length 0对于为什么目标系统似乎没有看到这些数据包,有什么想法吗?我已经阻止了目标主机上的iptables。
更新:
如果我将后端服务器的网关设置为haproxy,那么服务器将响应SYN (显然,因为它现在知道在哪里发送响应)。但是现在haproxy主机返回“主机10.3.0.92不可访问-管理被禁止,长度68”,应该将后端主机的网关设置为haproxy主机吗?
15:31:13.862481 IP 10.3.0.92.63460 > 192.168.0.5.80: Flags [S], seq 2693662872, win 14600, options [mss 1460,sackOK,TS val 6178395 ecr 0,nop,wscale 5], length 0
15:31:13.862548 IP 192.168.0.5.80 > 10.3.0.92.63460: Flags [S.], seq 2196759473, ack 2693662873, win 14480, options [mss 1460,sackOK,TS val 9094716 ecr 6178395,nop,wscale 6], length 0
15:31:13.863366 IP 192.168.0.1 > 192.168.0.5: ICMP host 10.3.0.92 unreachable - admin prohibited, length 68
15:31:14.882199 IP 10.3.0.92.63460 > 192.168.0.5.80: Flags [S], seq 2693662872, win 14600, options [mss 1460,sackOK,TS val 6179395 ecr 0,nop,wscale 5], length 0
15:31:14.882238 IP 192.168.0.5.80 > 10.3.0.92.63460: Flags [S.], seq 2212692439, ack 2693662873, win 14480, options [mss 1460,sackOK,TS val 9095715 ecr 6179395,nop,wscale 6], length 0
15:31:14.882479 IP 192.168.0.1 > 192.168.0.5: ICMP host 10.3.0.92 unreachable - admin prohibited, length 68
...回答 1
Server Fault用户
发布于 2014-04-04 06:21:51
我相信我已经找到了解决方案,作为一个开发人员而不是sys管理员,这需要一些时间来解决,但最终,我认为问题在于,对于透明代理的工作,代理也需要成为目标主机的默认网关。
这条路:
- 代理进行欺骗调用,模拟原始客户端。
- 目标主机响应被欺骗的呼叫,但是由于目标主机不在呼叫者的IP范围内,所以它的响应会转到它的默认网关
- 作为网络的默认网关的机器设置需要充当网关(显然)--也就是说,接受所有传入的通信量,而不管它的目的地是哪里,并将其转发到它的目的地。
因此,在我的例子中,我似乎只需要实现步骤3,因为代理主机现在抱怨不知道如何处理目标主机响应的since。
当我有时间验证所有这些时,我会发布一个更新。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/586394
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号