質問編集履歴
3
PREROUTING設定の確認を追加
test
CHANGED
File without changes
|
test
CHANGED
@@ -154,3 +154,56 @@
|
|
154
154
|
Connection from localhost 44270 received!
|
155
155
|
hello world
|
156
156
|
```
|
157
|
+
|
158
|
+
### PREROUTING設定の確認
|
159
|
+
|
160
|
+
`telnet localhost 25`の前後で`iptables -L -v`のpkts増分を確認したところ、ポート25がINPUT ChainのNum1で処理されていないようだったので、PREROUTINGの設定を確認した。
|
161
|
+
|
162
|
+
```sh
|
163
|
+
$ sudo iptables -t nat -nvL
|
164
|
+
Chain PREROUTING (policy ACCEPT 283K packets, 27M bytes)
|
165
|
+
pkts bytes target prot opt in out source destination
|
166
|
+
24439 1222K CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
|
167
|
+
24439 1222K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
|
168
|
+
|
169
|
+
Chain INPUT (policy ACCEPT 10280 packets, 505K bytes)
|
170
|
+
pkts bytes target prot opt in out source destination
|
171
|
+
|
172
|
+
Chain OUTPUT (policy ACCEPT 746 packets, 52216 bytes)
|
173
|
+
pkts bytes target prot opt in out source destination
|
174
|
+
64 3840 CNI-HOSTPORT-DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
|
175
|
+
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
|
176
|
+
|
177
|
+
Chain POSTROUTING (policy ACCEPT 746 packets, 52216 bytes)
|
178
|
+
pkts bytes target prot opt in out source destination
|
179
|
+
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
|
180
|
+
746 52216 CNI-HOSTPORT-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd requiring masquerade */
|
181
|
+
0 0 CNI-56badc2626661f6c6c96897a all -- * * 10.88.0.32 0.0.0.0/0 /* name: "podman" id: "922cb983d42b740ec0b00c16003735844855af5d5c0beabf589008f1944dccc1" */
|
182
|
+
|
183
|
+
Chain CNI-56badc2626661f6c6c96897a (1 references)
|
184
|
+
pkts bytes target prot opt in out source destination
|
185
|
+
0 0 ACCEPT all -- * * 0.0.0.0/0 10.88.0.0/16 /* name: "podman" id: "922cb983d42b740ec0b00c16003735844855af5d5c0beabf589008f1944dccc1" */
|
186
|
+
0 0 MASQUERADE all -- * * 0.0.0.0/0 !224.0.0.0/4 /* name: "podman" id: "922cb983d42b740ec0b00c16003735844855af5d5c0beabf589008f1944dccc1" */
|
187
|
+
|
188
|
+
Chain CNI-DN-56badc2626661f6c6c968 (1 references)
|
189
|
+
pkts bytes target prot opt in out source destination
|
190
|
+
0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.88.0.0/16 127.0.0.1 tcp dpt:25
|
191
|
+
48 2880 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 127.0.0.1 tcp dpt:25
|
192
|
+
48 2880 DNAT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:25 to:10.88.0.32:25
|
193
|
+
|
194
|
+
Chain CNI-HOSTPORT-DNAT (2 references)
|
195
|
+
pkts bytes target prot opt in out source destination
|
196
|
+
76 4120 CNI-DN-56badc2626661f6c6c968 tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* dnat name: "podman" id: "922cb983d42b740ec0b00c16003735844855af5d5c0beabf589008f1944dccc1" */ multiport dports 25
|
197
|
+
|
198
|
+
Chain CNI-HOSTPORT-MASQ (1 references)
|
199
|
+
pkts bytes target prot opt in out source destination
|
200
|
+
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2000/0x2000
|
201
|
+
|
202
|
+
Chain CNI-HOSTPORT-SETMARK (2 references)
|
203
|
+
pkts bytes target prot opt in out source destination
|
204
|
+
48 2880 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* CNI portfwd masquerade mark */ MARK or 0x2000
|
205
|
+
|
206
|
+
Chain DOCKER (2 references)
|
207
|
+
pkts bytes target prot opt in out source destination
|
208
|
+
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
|
209
|
+
```
|
2
nft (nftables) の調査結果を追加
test
CHANGED
File without changes
|
test
CHANGED
@@ -57,6 +57,16 @@
|
|
57
57
|
num pkts bytes target prot opt in out source destination
|
58
58
|
1 42 2041 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix "DROP:"
|
59
59
|
2 42 2041 DROP all -- any any anywhere anywhere
|
60
|
+
```
|
61
|
+
|
62
|
+
### iptablesに現れないnft (nftables) の設定が無いかを確認
|
63
|
+
|
64
|
+
nft (nftables) はインストールされていないことを確認。
|
65
|
+
|
66
|
+
```sh
|
67
|
+
$ nft list ruleset
|
68
|
+
Command 'nft' not found, but can be installed with:
|
69
|
+
sudo apt install nftables
|
60
70
|
```
|
61
71
|
|
62
72
|
### ポート25は接続がタイムアウトする
|
1
telnetの宛先をlocalhostに変更
test
CHANGED
File without changes
|
test
CHANGED
@@ -80,14 +80,14 @@
|
|
80
80
|
```sh
|
81
81
|
$ sudo lsof -i:25 -P
|
82
82
|
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
|
83
|
-
nc 12
|
83
|
+
nc 12979 root 3u IPv4 149326 0t0 TCP *:25 (LISTEN)
|
84
84
|
```
|
85
85
|
|
86
86
|
待ち受けたポートに接続するが、接続できず。
|
87
87
|
|
88
88
|
```sh
|
89
|
-
$ telnet
|
89
|
+
$ telnet localhost 25
|
90
|
-
Trying
|
90
|
+
Trying 127.0.0.1...
|
91
91
|
telnet: Unable to connect to remote host: Connection timed out
|
92
92
|
```
|
93
93
|
|
@@ -120,15 +120,15 @@
|
|
120
120
|
```sh
|
121
121
|
$ sudo lsof -i:26 -P
|
122
122
|
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
|
123
|
-
nc 1
|
123
|
+
nc 13020 root 3u IPv4 147320 0t0 TCP *:26 (LISTEN)
|
124
124
|
```
|
125
125
|
|
126
126
|
待ち受けたポートに接続接続できたので、適当な入力(hello world)を送った後に切断。
|
127
127
|
|
128
128
|
```sh
|
129
|
-
$ telnet
|
129
|
+
$ telnet localhost 26
|
130
|
-
Trying
|
130
|
+
Trying 127.0.0.1...
|
131
|
-
Connected to
|
131
|
+
Connected to localhost.
|
132
132
|
Escape character is '^]'.
|
133
133
|
hello world
|
134
134
|
^]
|
@@ -141,6 +141,6 @@
|
|
141
141
|
```sh
|
142
142
|
$ sudo nc -v -l -p 26
|
143
143
|
Listening on [0.0.0.0] (family 0, port 26)
|
144
|
-
Connection from localhost 442
|
144
|
+
Connection from localhost 44270 received!
|
145
145
|
hello world
|
146
146
|
```
|