极客观点
项目管理
HarmonyOS
问题现象
如图,欲将内网地址 192.168.4.101 映射到外网可以访问的 6.0.1.2。客户机访问6.0.1.2的请求将被路由到转发服务器,转发服务器上配置了iptables NAT,该请求将被转发给内部服务器192.168.4.101。
转发服务器上配置了iptables nat转发,有以下现象:
- 客户机ping 6.0.1.2正常;
- 客户机使用tcp协议访问6.0.1.2正常;
- 客户机使用udp协议访问6.0.1.2不通,转发服务器上抓包显示已收到内部服务器的回应,但未转发;
- 转发服务器上与内部服务器连接的网卡MTU1500,与客户机连接的VPN网卡MTU1450。内部服务器发出的UDP报文较长,达到了MTU
配置信息
iptables NAT表配置如下:
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- anywhere 6.0.1.2 to:192.168.4.101
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
SNAT all -- 192.168.4.101 anywhere to:6.0.1.2iptables filter表配置如下:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
ACCEPT icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:telnetcat /proc/net/nf_conntrace
# cat /proc/net/nf_conntrack
ipv4 2 tcp 6 76 TIME_WAIT src=9.250.0.1 dst=6.0.1.2 sport=41153 dport=554 src=192.168.4.101 dst=192.168.4.100 sport=554 dport=41153 [ASSURED] use=2
ipv4 2 tcp 6 104 TIME_WAIT src=9.250.0.1 dst=6.0.1.2 sport=39487 dport=554 src=192.168.4.101 dst=192.168.4.100 sport=554 dport=39487 [ASSURED] use=2
ipv4 2 icmp 1 25 src=9.250.0.2 dst=9.250.0.1 type=8 code=0 id=10096 src=9.250.0.1 dst=9.250.0.2 type=0 code=0 id=10096 use=2
ipv4 2 udp 17 15 src=9.250.0.1 dst=6.0.1.2 sport=19057 dport=6971 [UNREPLIED] src=192.168.4.101 dst=192.168.4.100 sport=6971 dport=1822 use=2
ipv4 2 udp 17 12 src=192.168.4.101 dst=192.168.4.100 sport=6971 dport=19057 [UNREPLIED] src=192.168.4.100 dst=192.168.4.101 sport=19057 dport=6971 use=2
ipv4 2 udp 17 14 src=192.168.4.101 dst=192.168.4.100 sport=6970 dport=19056 [UNREPLIED] src=192.168.4.100 dst=192.168.4.101 sport=19056 dport=6970 use=2
ipv4 2 icmp 1 1 src=9.250.0.2 dst=9.250.0.1 type=8 code=0 id=112 src=9.250.0.1 dst=9.250.0.2 type=0 code=0 id=112 use=2
ipv4 2 udp 17 29 src=192.168.4.101 dst=192.168.4.100 sport=6972 dport=17588 [UNREPLIED] src=192.168.4.100 dst=192.168.4.101 sport=17588 dport=6972 use=2
ipv4 2 udp 17 16 src=9.250.0.1 dst=6.0.1.2 sport=19689 dport=6973 [UNREPLIED] src=192.168.4.101 dst=192.168.4.100 sport=6973 dport=1822 use=2
ipv4 2 tcp 6 431998 ESTABLISHED src=192.168.4.100 dst=192.168.10.235 sport=36382 dport=5998 src=192.168.10.235 dst=192.168.4.100 sport=5998 dport=36382 [ASSURED] use=2
ipv4 2 udp 17 28 src=192.168.4.101 dst=192.168.4.100 sport=6973 dport=17589 [UNREPLIED] src=192.168.4.100 dst=192.168.4.101 sport=17589 dport=6973 use=2
ipv4 2 tcp 6 74 TIME_WAIT src=9.250.0.1 dst=6.0.1.2 sport=41207 dport=554 src=192.168.4.101 dst=192.168.4.100 sport=554 dport=41207 [ASSURED] use=2
ipv4 2 tcp 6 74 TIME_WAIT src=9.250.0.1 dst=6.0.1.2 sport=33684 dport=80 src=192.168.4.101 dst=192.168.4.100 sport=80 dport=33684 [ASSURED] use=2
ipv4 2 udp 17 29 src=192.168.4.101 dst=192.168.4.100 sport=6970 dport=16636 [UNREPLIED] src=192.168.4.100 dst=192.168.4.101 sport=16636 dport=6970 use=2
ipv4 2 icmp 1 28 src=9.250.0.2 dst=9.250.0.1 type=8 code=0 id=10864 src=9.250.0.1 dst=9.250.0.2 type=0 code=0 id=10864 use=2
ipv4 2 udp 17 24 src=192.168.4.101 dst=192.168.4.100 sport=6971 dport=16637 [UNREPLIED] src=192.168.4.100 dst=192.168.4.101 sport=16637 dport=6971 use=2
ipv4 2 tcp 6 16 TIME_WAIT src=9.250.0.1 dst=6.0.1.2 sport=33648 dport=554 src=192.168.4.101 dst=192.168.4.100 sport=554 dport=33648 [ASSURED] use=2
ipv4 2 tcp 6 431986 ESTABLISHED src=9.250.0.1 dst=6.0.1.2 sport=45230 dport=554 src=192.168.4.101 dst=192.168.4.100 sport=554 dport=45230 [ASSURED] use=2
ipv4 2 icmp 1 16 src=9.250.0.2 dst=9.250.0.1 type=8 code=0 id=6000 src=9.250.0.1 dst=9.250.0.2 type=0 code=0 id=6000 use=2
ipv4 2 tcp 6 14 TIME_WAIT src=9.250.0.1 dst=6.0.1.2 sport=42186 dport=80 src=192.168.4.101 dst=192.168.4.100 sport=80 dport=42186 [ASSURED] use=2
ipv4 2 tcp 6 106 TIME_WAIT src=9.250.0.1 dst=6.0.1.2 sport=33744 dport=554 src=192.168.4.101 dst=192.168.4.100 sport=554 dport=33744 [ASSURED] use=2
ipv4 2 tcp 6 44 TIME_WAIT src=9.250.0.1 dst=6.0.1.2 sport=41183 dport=554 src=192.168.4.101 dst=192.168.4.100 sport=554 dport=41183 [ASSURED] use=2
ipv4 2 tcp 6 14 TIME_WAIT src=9.250.0.1 dst=6.0.1.2 sport=34968 dport=554 src=192.168.4.101 dst=192.168.4.100 sport=554 dport=34968 [ASSURED] use=2
ipv4 2 tcp 6 431985 ESTABLISHED src=9.250.0.1 dst=6.0.1.2 sport=35315 dport=554 src=192.168.4.101 dst=192.168.4.100 sport=554 dport=35315 [ASSURED] use=2
ipv4 2 tcp 6 300 ESTABLISHED src=192.168.2.10 dst=192.168.4.100 sport=59971 dport=15723 src=192.168.4.100 dst=192.168.2.10 sport=15723 dport=59971 [ASSURED] use=3
ipv4 2 udp 17 12 src=192.168.4.101 dst=192.168.4.100 sport=6973 dport=19689 [UNREPLIED] src=192.168.4.100 dst=192.168.4.101 sport=19689 dport=6973 use=2
ipv4 2 icmp 1 10 src=9.250.0.2 dst=9.250.0.1 type=8 code=0 id=3696 src=9.250.0.1 dst=9.250.0.2 type=0 code=0 id=3696 use=2
ipv4 2 udp 17 15 src=192.168.4.101 dst=192.168.4.100 sport=6972 dport=19688 [UNREPLIED] src=192.168.4.100 dst=192.168.4.101 sport=19688 dport=6972 use=2
ipv4 2 icmp 1 22 src=9.250.0.2 dst=9.250.0.1 type=8 code=0 id=8304 src=9.250.0.1 dst=9.250.0.2 type=0 code=0 id=8304 use=2
ipv4 2 tcp 6 46 TIME_WAIT src=9.250.0.1 dst=6.0.1.2 sport=42574 dport=554 src=192.168.4.101 dst=192.168.4.100 sport=554 dport=42574 [ASSURED] use=2
ipv4 2 icmp 1 4 src=9.250.0.2 dst=9.250.0.1 type=8 code=0 id=1136 src=9.250.0.1 dst=9.250.0.2 type=0 code=0 id=1136 use=2
ipv4 2 icmp 1 13 src=9.250.0.2 dst=9.250.0.1 type=8 code=0 id=4976 src=9.250.0.1 dst=9.250.0.2 type=0 code=0 id=4976 use=2
ipv4 2 icmp 1 19 src=9.250.0.2 dst=9.250.0.1 type=8 code=0 id=7536 src=9.250.0.1 dst=9.250.0.2 type=0 code=0 id=7536 use=2
ipv4 2 icmp 1 7 src=9.250.0.2 dst=9.250.0.1 type=8 code=0 id=2416 src=9.250.0.1 dst=9.250.0.2 type=0 code=0 id=2416 use=2求助配置哪里有问题,或者该如何配置。
问题原因
上述问题已解决,感谢两位的回答,现将原因补充如下。上述问题和NAT映射有关,tcp通而udp不通的关键在采用TCP、UDP协议时交互流程不同。
采用TCP协议,客户机与内部服务器的交互流程:
- 客户端使用TCP协议访问内部服务器6.0.1.2地址;
- 协商传输协议为TCP,继续复用该连接;
- 内部服务器使用原TCP连接回传数据;
- 由于传输时复用了原TCP连接,则NAT表项存在,转发能够正常;
采用UDP协议,客户机与内部服务器的交互流程如下:
- 客户端使用TCP协议访问内部服务器6.0.1.2地址;
- 协商传输协议为UDP,且协商出传输端口;
- 内部服务器使用协商的端口,发送给转发服务器;
- 此时,由于转发服务器上没有关于新协商的转发表项,则不进入NAT流程,实际进入转发服务器本身的UDP层,而转发服务器没有应用程序监听该端口,触发了ICMP 目的端口不可达;
该问题也可以从前面给出的nf_conntrack信息中看出一些端倪,如存在如下的信息:
ipv4 2 udp 17 24 src=192.168.4.101 dst=192.168.4.100 sport=6971 dport=16637 [UNREPLIED] src=192.168.4.100 dst=192.168.4.101 sport=16637 dport=6971 use=2综上所述,UDP传输时不同是因为不存在NAT表项,也就是NAT设备允许私网内主机主动向公网内主机发送数据,但却禁止反方向的主动传递,该情况需要进行NAT穿透(打洞)。
解决方案之一为客户机主动发送打洞包,即 使用协商出的端口发送一个UDP包。若想进一步了解,可查询 P2P NAT穿越相关技术,为避免广告嫌疑,这里就不贴链接了。
我尝试复现了一下这个问题,按照你的描述用虚拟机配置了一下网络,没有复现成功。
你可以先去掉
试试看,因为这个场景应该只需要用到 DNAT 就可以满足需要了。