我有一个服务器,它有一个在本地主机上侦听的服务。由于某种原因,我不能/不想让它在 0.0.0.0 上监听。
我设置了 DNAT nftable 规则,使用此处找到的解决方案将流量从外部重定向到在本地主机上侦听的此服务:https://serverfault.com/questions/1021798/how-to-redirect-requests-on-port- 80-to-localhost3000-using-nftables
但是,我希望能够从服务器内部访问此服务,但我不能。归根结底,数据包来自网络时会经过 nat/prerouting 挂钩,但当数据包来自服务器本身时,它会直接进入过滤器/输入。
这是我正在使用的跟踪 nft 脚本:
table inet trace
delete table inet trace
table inet trace {
chain input {
type filter hook input priority filter;
tcp dport 80 meta nftrace set 1;
}
chain prerouting {
type nat hook prerouting priority -100;
tcp dport 80 meta nftrace set 1;
}
}
运行
nft monitor tracecurl 192.168.5.19trace id 4a31a955 inet trace input packet: iif "lo" @ll,0,112 0x800 ip saddr 192.168.5.19 ip daddr 192.168.5.19 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27513 ip protocol tcp ip length 60 tcp sport 56176 tcp dport 80 tcp flags == syn tcp window 65495
trace id 4a31a955 inet trace input rule tcp dport 80 meta nftrace set 1 (verdict continue)
trace id 4a31a955 inet trace input verdict continue meta mark 0xffffffff
trace id 4a31a955 inet trace input policy accept meta mark 0xffffffff
我们只看到输入钩子的跟踪。现在,当我从 LAN 内的其他地方获取相同的地址时,我得到:
trace id 7502298e inet trace prerouting packet: iif "eth0" ether saddr f0:d5:bf:11:c2:59 ether daddr d8:3a:dd:77:26:e1 ip saddr 192.168.5.186 ip daddr 192.168.5.19 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 53081 ip protocol tcp ip length 60 tcp sport 41730 tcp dport 80 tcp flags == syn tcp window 32120
trace id 7502298e inet trace prerouting rule tcp dport 80 meta nftrace set 1 (verdict continue)
trace id 7502298e inet trace prerouting verdict continue
trace id 7502298e inet trace prerouting policy accept
trace id 7502298e inet socket_redirect prerouting packet: iif "eth0" ether saddr f0:d5:bf:11:c2:59 ether daddr d8:3a:dd:77:26:e1 ip saddr 192.168.5.186 ip daddr 192.168.5.19 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 53081 ip protocol tcp ip length 60 tcp sport 41730 tcp dport 80 tcp flags == syn tcp window 32120
trace id 7502298e inet socket_redirect prerouting rule ip daddr != 127.0.0.0/8 tcp dport 80 counter packets 10 bytes 580 dnat ip to 127.0.0.5:80 (verdict accept)
trace id 7502298e inet socket_redirect input packet: iif "eth0" ether saddr f0:d5:bf:11:c2:59 ether daddr d8:3a:dd:77:26:e1 ip saddr 192.168.5.186 ip daddr 127.0.0.5 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 53081 ip protocol tcp ip length 60 tcp sport 41730 tcp dport 80 tcp flags == syn tcp window 32120
trace id 7502298e inet socket_redirect input rule ct status dnat (verdict continue)
trace id 7502298e inet socket_redirect input rule counter packets 23008 bytes 10085025 (verdict continue)
trace id 7502298e inet socket_redirect input rule meta mark set 0xffffffff (verdict continue)
trace id 7502298e inet socket_redirect input rule accept (verdict accept)
trace id 7502298e inet trace input packet: iif "eth0" ether saddr f0:d5:bf:11:c2:59 ether daddr d8:3a:dd:77:26:e1 ip saddr 192.168.5.186 ip daddr 127.0.0.5 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 53081 ip protocol tcp ip length 60 tcp sport 41730 tcp dport 80 tcp flags == syn tcp window 32120
trace id 7502298e inet trace input rule tcp dport 80 meta nftrace set 1 (verdict continue)
trace id 7502298e inet trace input verdict continue meta mark 0xffffffff
trace id 7502298e inet trace input policy accept meta mark 0xffffffff
trace id fbebd8f0 inet trace input packet: iif "eth0" ether saddr f0:d5:bf:11:c2:59 ether daddr d8:3a:dd:77:26:e1 ip saddr 192.168.5.186 ip daddr 127.0.0.5 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 53082 ip protocol tcp ip length 52 tcp sport 41730 tcp dport 80 tcp flags == ack tcp window 251
...
如何使来自服务器本身的数据包进入预路由钩子?
这可能是不可能的。
我只是查看了 docker 是如何做到这一点的,当数据包源自服务器时,我无法从 docker 端口转发中获得任何跟踪。然而,docker 有一个 docker-proxy 守护进程,它似乎可以做一些转发。也许这是针对这个具体情况的。
也许 podman 已经找到了解决方案。