編集履歴

質問編集履歴

PREROUTING設定の確認を追加

2022/11/17 06:33

投稿

hkcomori

スコア30

test CHANGED Viewed

File without changes

test CHANGED Viewed

@@ -154,3 +154,56 @@
 Connection from localhost 44270 received!
 hello world
 ```
+### PREROUTING設定の確認
+`telnet localhost 25`の前後で`iptables -L -v`のpkts増分を確認したところ、ポート25がINPUT ChainのNum1で処理されていないようだったので、PREROUTINGの設定を確認した。
+```sh
+$ sudo iptables -t nat -nvL
+Chain PREROUTING (policy ACCEPT 283K packets, 27M bytes)
+ pkts bytes target     prot opt in     out     source               destination
+24439 1222K CNI-HOSTPORT-DNAT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
+24439 1222K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
+Chain INPUT (policy ACCEPT 10280 packets, 505K bytes)
+ pkts bytes target     prot opt in     out     source               destination
+Chain OUTPUT (policy ACCEPT 746 packets, 52216 bytes)
+ pkts bytes target     prot opt in     out     source               destination
+   64  3840 CNI-HOSTPORT-DNAT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
+    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL
+Chain POSTROUTING (policy ACCEPT 746 packets, 52216 bytes)
+ pkts bytes target     prot opt in     out     source               destination
+    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
+  746 52216 CNI-HOSTPORT-MASQ  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* CNI portfwd requiring masquerade */
+    0     0 CNI-56badc2626661f6c6c96897a  all  --  *      *       10.88.0.32           0.0.0.0/0            /* name: "podman" id: "922cb983d42b740ec0b00c16003735844855af5d5c0beabf589008f1944dccc1" */
+Chain CNI-56badc2626661f6c6c96897a (1 references)
+ pkts bytes target     prot opt in     out     source               destination
+    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            10.88.0.0/16         /* name: "podman" id: "922cb983d42b740ec0b00c16003735844855af5d5c0beabf589008f1944dccc1" */
+    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0           !224.0.0.0/4          /* name: "podman" id: "922cb983d42b740ec0b00c16003735844855af5d5c0beabf589008f1944dccc1" */
+Chain CNI-DN-56badc2626661f6c6c968 (1 references)
+ pkts bytes target     prot opt in     out     source               destination
+    0     0 CNI-HOSTPORT-SETMARK  tcp  --  *      *       10.88.0.0/16         127.0.0.1            tcp dpt:25
+   48  2880 CNI-HOSTPORT-SETMARK  tcp  --  *      *       127.0.0.1            127.0.0.1            tcp dpt:25
+   48  2880 DNAT       tcp  --  *      *       0.0.0.0/0            127.0.0.1            tcp dpt:25 to:10.88.0.32:25
+Chain CNI-HOSTPORT-DNAT (2 references)
+ pkts bytes target     prot opt in     out     source               destination
+   76  4120 CNI-DN-56badc2626661f6c6c968  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dnat name: "podman" id: "922cb983d42b740ec0b00c16003735844855af5d5c0beabf589008f1944dccc1" */ multiport dports 25
+Chain CNI-HOSTPORT-MASQ (1 references)
+ pkts bytes target     prot opt in     out     source               destination
+    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2000/0x2000
+Chain CNI-HOSTPORT-SETMARK (2 references)
+ pkts bytes target     prot opt in     out     source               destination
+   48  2880 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* CNI portfwd masquerade mark */ MARK or 0x2000
+Chain DOCKER (2 references)
+ pkts bytes target     prot opt in     out     source               destination
+    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
+```

Podman Linux Ubuntu Postfix

nft (nftables) の調査結果を追加

2022/11/17 02:06

投稿

hkcomori

スコア30

test CHANGED Viewed

File without changes

test CHANGED Viewed

@@ -57,6 +57,16 @@
 num   pkts bytes target     prot opt in     out     source               destination
 1       42  2041 LOG        all  --  any    any     anywhere             anywhere             limit: avg 1/sec burst 5 LOG level warning prefix "DROP:"
 2       42  2041 DROP       all  --  any    any     anywhere             anywhere
+```
+### iptablesに現れないnft (nftables) の設定が無いかを確認
+nft (nftables) はインストールされていないことを確認。
+```sh
+$ nft list ruleset
+Command 'nft' not found, but can be installed with:
+sudo apt install nftables
 ```
 ### ポート25は接続がタイムアウトする

Podman Linux Ubuntu Postfix

telnetの宛先をlocalhostに変更

2022/11/16 02:43

投稿

hkcomori

スコア30

test CHANGED Viewed

File without changes

test CHANGED Viewed

@@ -80,14 +80,14 @@
 ```sh
 $ sudo lsof -i:25 -P
 COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
-nc      12123 root    3u  IPv4 139707      0t0  TCP *:25 (LISTEN)
+nc      12979 root    3u  IPv4 149326      0t0  TCP *:25 (LISTEN)
 ```
 待ち受けたポートに接続するが、接続できず。
 ```sh
-$ telnet 0.0.0.0 25
+$ telnet localhost 25
-Trying 0.0.0.0...
+Trying 127.0.0.1...
 telnet: Unable to connect to remote host: Connection timed out
 ```
@@ -120,15 +120,15 @@
 ```sh
 $ sudo lsof -i:26 -P
 COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
-nc      12130 root    3u  IPv4 139773      0t0  TCP *:26 (LISTEN)
+nc      13020 root    3u  IPv4 147320      0t0  TCP *:26 (LISTEN)
 ```
 待ち受けたポートに接続接続できたので、適当な入力（hello world）を送った後に切断。
 ```sh
-$ telnet 0.0.0.0 26
+$ telnet localhost 26
-Trying 0.0.0.0...
+Trying 127.0.0.1...
-Connected to 0.0.0.0.
+Connected to localhost.
 Escape character is '^]'.
 hello world
 ^]
@@ -141,6 +141,6 @@
 ```sh
 $ sudo nc -v -l -p 26
 Listening on [0.0.0.0] (family 0, port 26)
-Connection from localhost 44264 received!
+Connection from localhost 44270 received!
 hello world
 ```

Podman Linux Ubuntu Postfix