質問編集履歴

3

PREROUTING設定の確認を追加

2022/11/17 06:33

投稿

hkcomori
hkcomori

スコア30

test CHANGED
File without changes
test CHANGED
@@ -154,3 +154,56 @@
154
154
  Connection from localhost 44270 received!
155
155
  hello world
156
156
  ```
157
+
158
+ ### PREROUTING設定の確認
159
+
160
+ `telnet localhost 25`の前後で`iptables -L -v`のpkts増分を確認したところ、ポート25がINPUT ChainのNum1で処理されていないようだったので、PREROUTINGの設定を確認した。
161
+
162
+ ```sh
163
+ $ sudo iptables -t nat -nvL
164
+ Chain PREROUTING (policy ACCEPT 283K packets, 27M bytes)
165
+ pkts bytes target prot opt in out source destination
166
+ 24439 1222K CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
167
+ 24439 1222K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
168
+
169
+ Chain INPUT (policy ACCEPT 10280 packets, 505K bytes)
170
+ pkts bytes target prot opt in out source destination
171
+
172
+ Chain OUTPUT (policy ACCEPT 746 packets, 52216 bytes)
173
+ pkts bytes target prot opt in out source destination
174
+ 64 3840 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
175
+ 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
176
+
177
+ Chain POSTROUTING (policy ACCEPT 746 packets, 52216 bytes)
178
+ pkts bytes target prot opt in out source destination
179
+ 0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
180
+ 746 52216 CNI-HOSTPORT-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd requiring masquerade */
181
+ 0 0 CNI-56badc2626661f6c6c96897a all -- * * 10.88.0.32 0.0.0.0/0 /* name: "podman" id: "922cb983d42b740ec0b00c16003735844855af5d5c0beabf589008f1944dccc1" */
182
+
183
+ Chain CNI-56badc2626661f6c6c96897a (1 references)
184
+ pkts bytes target prot opt in out source destination
185
+ 0 0 ACCEPT all -- * * 0.0.0.0/0 10.88.0.0/16 /* name: "podman" id: "922cb983d42b740ec0b00c16003735844855af5d5c0beabf589008f1944dccc1" */
186
+ 0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "podman" id: "922cb983d42b740ec0b00c16003735844855af5d5c0beabf589008f1944dccc1" */
187
+
188
+ Chain CNI-DN-56badc2626661f6c6c968 (1 references)
189
+ pkts bytes target prot opt in out source destination
190
+ 0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.88.0.0/16 127.0.0.1 tcp dpt:25
191
+ 48 2880 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 127.0.0.1 tcp dpt:25
192
+ 48 2880 DNAT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:25 to:10.88.0.32:25
193
+
194
+ Chain CNI-HOSTPORT-DNAT (2 references)
195
+ pkts bytes target prot opt in out source destination
196
+ 76 4120 CNI-DN-56badc2626661f6c6c968 tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "podman" id: "922cb983d42b740ec0b00c16003735844855af5d5c0beabf589008f1944dccc1" */ multiport dports 25
197
+
198
+ Chain CNI-HOSTPORT-MASQ (1 references)
199
+ pkts bytes target prot opt in out source destination
200
+ 0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000/0x2000
201
+
202
+ Chain CNI-HOSTPORT-SETMARK (2 references)
203
+ pkts bytes target prot opt in out source destination
204
+ 48 2880 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd masquerade mark */ MARK or 0x2000
205
+
206
+ Chain DOCKER (2 references)
207
+ pkts bytes target prot opt in out source destination
208
+ 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
209
+ ```

2

nft (nftables) の調査結果を追加

2022/11/17 02:06

投稿

hkcomori
hkcomori

スコア30

test CHANGED
File without changes
test CHANGED
@@ -57,6 +57,16 @@
57
57
  num pkts bytes target prot opt in out source destination
58
58
  1 42 2041 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix "DROP:"
59
59
  2 42 2041 DROP all -- any any anywhere anywhere
60
+ ```
61
+
62
+ ### iptablesに現れないnft (nftables) の設定が無いかを確認
63
+
64
+ nft (nftables) はインストールされていないことを確認。
65
+
66
+ ```sh
67
+ $ nft list ruleset
68
+ Command 'nft' not found, but can be installed with:
69
+ sudo apt install nftables
60
70
  ```
61
71
 
62
72
  ### ポート25は接続がタイムアウトする

1

telnetの宛先をlocalhostに変更

2022/11/16 02:43

投稿

hkcomori
hkcomori

スコア30

test CHANGED
File without changes
test CHANGED
@@ -80,14 +80,14 @@
80
80
  ```sh
81
81
  $ sudo lsof -i:25 -P
82
82
  COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
83
- nc 12123 root 3u IPv4 139707 0t0 TCP *:25 (LISTEN)
83
+ nc 12979 root 3u IPv4 149326 0t0 TCP *:25 (LISTEN)
84
84
  ```
85
85
 
86
86
  待ち受けたポートに接続するが、接続できず。
87
87
 
88
88
  ```sh
89
- $ telnet 0.0.0.0 25
89
+ $ telnet localhost 25
90
- Trying 0.0.0.0...
90
+ Trying 127.0.0.1...
91
91
  telnet: Unable to connect to remote host: Connection timed out
92
92
  ```
93
93
 
@@ -120,15 +120,15 @@
120
120
  ```sh
121
121
  $ sudo lsof -i:26 -P
122
122
  COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
123
- nc 12130 root 3u IPv4 139773 0t0 TCP *:26 (LISTEN)
123
+ nc 13020 root 3u IPv4 147320 0t0 TCP *:26 (LISTEN)
124
124
  ```
125
125
 
126
126
  待ち受けたポートに接続接続できたので、適当な入力(hello world)を送った後に切断。
127
127
 
128
128
  ```sh
129
- $ telnet 0.0.0.0 26
129
+ $ telnet localhost 26
130
- Trying 0.0.0.0...
130
+ Trying 127.0.0.1...
131
- Connected to 0.0.0.0.
131
+ Connected to localhost.
132
132
  Escape character is '^]'.
133
133
  hello world
134
134
  ^]
@@ -141,6 +141,6 @@
141
141
  ```sh
142
142
  $ sudo nc -v -l -p 26
143
143
  Listening on [0.0.0.0] (family 0, port 26)
144
- Connection from localhost 44264 received!
144
+ Connection from localhost 44270 received!
145
145
  hello world
146
146
  ```