Как сделать правильный проброс портов через iptables в centos?

Question

mishka_abramov @mishka_abramov

Как сделать правильный проброс портов через iptables в centos?

Здравствуйте! Я пока только осваиваю centos и пытаюсь разобраться с простой на первый взгляд задачей.

Раньше на одном сервере был и АД и Хостинг и еще гора всякого. Было решено выделить новый сервер под хостинг и присвоить белый ip.
На втором сервере остался NOD 32 к которому по 2221 порту обращались для скачки обновлений.

Нужно сделать чтобы при запросе на 1.2.3.4:2221 перенаправлялся на 1.2.3.5:2221.

Что я пробовал:

-A PREROUTING -p tcp -d 1.2.3.4/32 --dport 2221 -j DNAT --to-destination 1.2.3.5:2221
-A FORWARD -d 1.2.3.5/32 -p tcp -m tcp --dport 2221 -j ACCEPT

Схема сети:

iptables

Generated by iptables-save v1.4.7 on Wed Feb 4 13:06:28 2015
nat
:PREROUTING ACCEPT [445:35874]
:POSTROUTING ACCEPT [201:12052]
:OUTPUT ACCEPT [201:12052]
-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 2221 -j DNAT --to-destination 1.2.3.5:2221
-A POSTROUTING -d 1.2.3.5:2221 -p tcp -m tcp --dport 2221 -j SNAT --to-source 1.2.3.4
iptables


COMMIT
# Completed on Wed Feb 4 13:06:28 2015
# Generated by iptables-save v1.4.7 on Wed Feb 4 13:06:28 2015
filter
:INPUT DROP [70:5549]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1859:1537954]
:fail2ban-MAIL - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-VESTA - [0:0]
:vesta - [0:0]
-A INPUT -p tcp -m multiport --dports 25,465,587,2525,110,995,143,993 -j fail2ban-MAIL
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-VESTA
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,465,587,2525 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3306,5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 1.2.3.5/32 -j ACCEPT
-A INPUT -s 192.168.0.5/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 188.234.250.167/32 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
COMMIT

ifconfig

eth0 Link encap:Ethernet HWaddr 00:15:17:53:DB:90
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::215:17ff:fe53:db90/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:405335 errors:0 dropped:0 overruns:0 frame:0
TX packets:168104 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:40001441 (38.1 MiB) TX bytes:44595393 (42.5 MiB)
Interrupt:18 Memory:78820000-78840000

eth1 Link encap:Ethernet HWaddr 00:15:17:53:DB:91
inet addr:1.2.3.4 Bcast:1.2.3.255 Mask:255.255.255.0
inet6 addr: fe80::215:17ff:fe53:db91/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3022790 errors:0 dropped:0 overruns:0 frame:0
TX packets:4474972 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:464511566 (442.9 MiB) TX bytes:5637706969 (5.2 GiB)
Interrupt:19 Memory:78800000-78820000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:7155004 errors:0 dropped:0 overruns:0 frame:0
TX packets:7155004 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10714272576 (9.9 GiB) TX bytes:10714272576 (9.9 GiB)

sysctl

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

Очень надеюсь на Вашу помощь, заранее спасибо за все советы!

Вопрос задан более трёх лет назад
3317 просмотров

Комментировать

Подписаться 1 Оценить Комментировать

Пригласить эксперта

Ответы на вопрос 2

4 комментария

mishka_abramov @mishka_abramov Автор вопроса

Спасибо за столь оперативный ответ! Однако подскажите, в чём еще может быть проблема
sysctl

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

Написано более трёх лет назад
Владимир @rostel

выполните предложенную команду
либо
# sysctl -p
в конфиге уже все есть

Написано более трёх лет назад
mishka_abramov @mishka_abramov Автор вопроса

Владимир:
sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

Написано более трёх лет назад
mishka_abramov @mishka_abramov Автор вопроса

Владимир: Результата также не последовало.

Написано более трёх лет назад

17 комментариев

mishka_abramov @mishka_abramov Автор вопроса

Также большое спасибо за совет, перезапустил iptables результата не последовало. На что еще стоит обратить внимание?

Написано более трёх лет назад
Игорь @merryjane

Покажите текущий список правил, как Вы выложили в теле вопроса.

Написано более трёх лет назад

mishka_abramov @mishka_abramov Автор вопроса

Игорь:

Generated by iptables-save v1.4.7 on Wed Feb  4 13:06:28 2015
*nat
:PREROUTING ACCEPT [445:35874]
:POSTROUTING ACCEPT [201:12052]
:OUTPUT ACCEPT [201:12052]
-A PREROUTING -d 1.2.3.4/32 -p udp -m udp --dport 2221 -j DNAT --to-destination 1.2.3.5:2221
-A POSTROUTING -d 1.2.3.5:2221 -p tcp -m tcp --dport 2221 -j SNAT --to-source 1.2.3.4
COMMIT
# Completed on Wed Feb  4 13:06:28 2015
# Generated by iptables-save v1.4.7 on Wed Feb  4 13:06:28 2015
*filter
:INPUT DROP [70:5549]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1859:1537954]
:fail2ban-MAIL - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-VESTA - [0:0]
:vesta - [0:0]
-A INPUT -p tcp -m multiport --dports 25,465,587,2525,110,995,143,993 -j fail2ban-MAIL
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-VESTA
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,465,587,2525 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3306,5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 188.234.249.229/32 -j ACCEPT
-A INPUT -s 192.168.0.5/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT

Написано более трёх лет назад

Игорь @merryjane

А iptables нормально перезапускаются? Без ошибок?
Почему-то у Вас по прежнему для FORWARD пустой счетчик.

Написано более трёх лет назад
mishka_abramov @mishka_abramov Автор вопроса

Игорь: Не обратил внимание на последний перезапуск:
service iptables restart
iptables: Setting chains to policy ACCEPT: filter nat [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: iptables-restore v1.4.7: host/network `1.2.3.5:2221' not found
Error occurred at line: 7
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[FAILED]

Написано более трёх лет назад
mishka_abramov @mishka_abramov Автор вопроса

Игорь: До вашей правки перезапуск происходил нормально

Написано более трёх лет назад
Владимир @rostel

iptables -A POSTROUTING -d 1.2.3.5 -p tcp -m tcp --dport 2221 -j SNAT --to-source 1.2.3.4

Написано более трёх лет назад
Игорь @merryjane

хм... попробуйте так:
-A POSTROUTING -d 1.2.3.5/32 -p tcp -m tcp --dport 2221 -j SNAT --to-source 1.2.3.4

Написано более трёх лет назад
mishka_abramov @mishka_abramov Автор вопроса

Игорь: Так же не привело к результатам.

Написано более трёх лет назад
Игорь @merryjane

Тогда надо вооружаться tcpdump-ом и логировать iptables, чтобы быть уверенным что пакеты вообще доходят до сервера, и если доходят то уходят дальше.
В общем нужен дебаг.

Написано более трёх лет назад

mishka_abramov @mishka_abramov Автор вопроса

Игорь: установил tcpdump очень буду признателен если поможете со следующим:
Вот что происходит на 2221 порту, когда к нам пытаются подключиться, для скачивания обновлений

[root@наш.доменн]# tcpdump -i any  port 2221
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
14:15:35.457914 IP внешний.пользователь.convex.ru.63705 > наш.доменн.rockwell-csp1: Flags [S], seq 2078803573, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
14:15:38.157952 IP 188x234x244x181.static-business.188-181.ertelecom.ru.49340 > наш.доменн.rockwell-csp1: Flags [S], seq 1500447274, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:15:38.459262 IP внешний.пользователь.convex.ru.63705 > наш.доменн.rockwell-csp1: Flags [S], seq 2078803573, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
14:15:41.148556 IP 188x234x244x181.static-business.188-181.ertelecom.ru.49340 > наш.доменн.rockwell-csp1: Flags [S], seq 1500447274, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:15:44.461209 IP внешний.пользователь.convex.ru.63705 > наш.доменн.rockwell-csp1: Flags [S], seq 2078803573, win 8192, options [mss 1460,nop,nop,sackOK], length 0
14:15:47.154251 IP 188x234x244x181.static-business.188-181.ertelecom.ru.49340 > наш.доменн.rockwell-csp1: Flags [S], seq 1500447274, win 8192, options [mss 1460,nop,nop,sackOK], length 0

Не совсем понял, как проанализировать уходят ли они дальше.

Написано более трёх лет назад

Игорь @merryjane

Тут видно только то, что у Вас нет ответов от сервера вообще в этом трейсе.
А на сервере куда маршрутизируете это все, прилетают пакеты?

Написано более трёх лет назад
mishka_abramov @mishka_abramov Автор вопроса

Игорь: Как будет возможность, настрою wireshark для того, чтобы ответить на ваш вопрос.

Написано более трёх лет назад

mishka_abramov @mishka_abramov Автор вопроса

Игорь: Вот собственно несколько пакетов которые wireshark видит на 2221 порту 1.2.3.5 я не до конца понимаю почему

No.     Time     Source                Destination           Protocol Length Info
   5448 15:45:32 1.2.3.5      1.2.3.4       TCP      66     63312→2221 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Frame 5448: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: AsustekC_9d:99:c6 (00:26:18:9d:99:c6), Dst: IETF-VRRP-VRID_0d (00:00:5e:00:01:0d)
Internet Protocol Version 4, Src: 1.2.3.5 (1.2.3.5), Dst:1.2.3.4 (188.234.249.229)
    Version: 4
    Header Length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 52
    Identification: 0x62f7 (25335)
    Flags: 0x02 (Don't Fragment)
    Fragment offset: 0
    Time to live: 126
    Protocol: TCP (6)
    Header checksum: 0x2b6a [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 1.2.3.5 (1.2.3.5)
    Destination:1.2.3.4 (188.234.249.229)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 63312 (63312), Dst Port: 2221 (2221), Seq: 0, Len: 0
    Source Port: 63312 (63312)
    Destination Port: 2221 (2221)
    [Stream index: 330]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    Acknowledgment number: 0
    Header Length: 32 bytes
    .... 0000 0000 0010 = Flags: 0x002 (SYN)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 2221]
                [Connection establish request (SYN): server port 2221]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ...0 = Fin: Not set
    Window size value: 8192
    [Calculated window size: 8192]
    Checksum: 0x7645 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Urgent pointer: 0
    Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
        Maximum segment size: 1460 bytes
            Kind: Maximum Segment Size (2)
            Length: 4
            MSS Value: 1460
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Window scale: 2 (multiply by 4)
            Kind: Window Scale (3)
            Length: 3
            Shift count: 2
            [Multiplier: 4]
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        TCP SACK Permitted Option: True
            Kind: SACK Permitted (4)
            Length: 2

No.     Time     Source                Destination           Protocol Length Info
   5451 15:45:321.2.3.4       1.2.3.5       TCP      60     2221→63312 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Frame 5451: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: IETF-VRRP-VRID_0d (00:00:5e:00:01:0d), Dst: AsustekC_9d:99:c6 (00:26:18:9d:99:c6)
Internet Protocol Version 4, Src:1.2.3.4 (188.234.249.229), Dst: 1.2.3.5 (1.2.3.5)
    Version: 4
    Header Length: 20 bytes
    Differentiated Services Field: 0x04 (DSCP 0x01: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 01.. = Differentiated Services Codepoint: Unknown (0x01)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 40
    Identification: 0x0000 (0)
    Flags: 0x02 (Don't Fragment)
    Fragment offset: 0
    Time to live: 63
    Protocol: TCP (6)
    Header checksum: 0xcd69 [validation disabled]
        [Good: False]
        [Bad: False]
    Source:1.2.3.4 (188.234.249.229)
    Destination: 1.2.3.5 (1.2.3.5)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 2221 (2221), Dst Port: 63312 (63312), Seq: 1, Ack: 1, Len: 0
    Source Port: 2221 (2221)
    Destination Port: 63312 (63312)
    [Stream index: 330]
    [TCP Segment Len: 0]
    Sequence number: 1    (relative sequence number)
    Acknowledgment number: 1    (relative ack number)
    Header Length: 20 bytes
    .... 0000 0001 0100 = Flags: 0x014 (RST, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .1.. = Reset: Set
            [Expert Info (Warn/Sequence): Connection reset (RST)]
                [Connection reset (RST)]
                [Severity level: Warn]
                [Group: Sequence]
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 0
    [Calculated window size: 0]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0xd6fe [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Urgent pointer: 0
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 5448]
        [The RTT to ACK the segment was: 0.000788000 seconds]
        [iRTT: 0.000788000 seconds]

No.     Time     Source                Destination           Protocol Length Info
   5461 15:45:32 192.168.0.34         1.2.3.4       TCP      66     49601→2221 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Frame 5461: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 1
Ethernet II, Src: AsustekC_c5:1c:1d (54:04:a6:c5:1c:1d), Dst: AsustekC_9d:97:62 (00:26:18:9d:97:62)
Internet Protocol Version 4, Src: 192.168.0.34 (192.168.0.34), Dst:1.2.3.4 (188.234.249.229)
    Version: 4
    Header Length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 52
    Identification: 0x62f7 (25335)
    Flags: 0x02 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (6)
    Header checksum: 0x2032 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 192.168.0.34 (192.168.0.34)
    Destination:1.2.3.4 (188.234.249.229)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 49601 (49601), Dst Port: 2221 (2221), Seq: 0, Len: 0
    Source Port: 49601 (49601)
    Destination Port: 2221 (2221)
    [Stream index: 331]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    Acknowledgment number: 0
    Header Length: 32 bytes
    .... 0000 0000 0010 = Flags: 0x002 (SYN)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 2221]
                [Connection establish request (SYN): server port 2221]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ...0 = Fin: Not set
    Window size value: 8192
    [Calculated window size: 8192]
    Checksum: 0xa29c [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Urgent pointer: 0
    Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
        Maximum segment size: 1460 bytes
            Kind: Maximum Segment Size (2)
            Length: 4
            MSS Value: 1460
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Window scale: 2 (multiply by 4)
            Kind: Window Scale (3)
            Length: 3
            Shift count: 2
            [Multiplier: 4]
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        TCP SACK Permitted Option: True
            Kind: SACK Permitted (4)
            Length: 2

No.     Time     Source                Destination           Protocol Length Info
   5465 15:45:321.2.3.4       192.168.0.34          TCP      54     2221→49601 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Frame 5465: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 1
Ethernet II, Src: AsustekC_9d:97:62 (00:26:18:9d:97:62), Dst: AsustekC_c5:1c:1d (54:04:a6:c5:1c:1d)
Internet Protocol Version 4, Src:1.2.3.4 (188.234.249.229), Dst: 192.168.0.34 (192.168.0.34)
    Version: 4
    Header Length: 20 bytes
    Differentiated Services Field: 0x04 (DSCP 0x01: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 01.. = Differentiated Services Codepoint: Unknown (0x01)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 40
    Identification: 0x0000 (0)
    Flags: 0x02 (Don't Fragment)
    Fragment offset: 0
    Time to live: 62
    Protocol: TCP (6)
    Header checksum: 0xc531 [validation disabled]
        [Good: False]
        [Bad: False]
    Source:1.2.3.4 (188.234.249.229)
    Destination: 192.168.0.34 (192.168.0.34)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 2221 (2221), Dst Port: 49601 (49601), Seq: 1, Ack: 1, Len: 0
    Source Port: 2221 (2221)
    Destination Port: 49601 (49601)
    [Stream index: 331]
    [TCP Segment Len: 0]
    Sequence number: 1    (relative sequence number)
    Acknowledgment number: 1    (relative ack number)
    Header Length: 20 bytes
    .... 0000 0001 0100 = Flags: 0x014 (RST, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .1.. = Reset: Set
            [Expert Info (Warn/Sequence): Connection reset (RST)]
                [Connection reset (RST)]
                [Severity level: Warn]
                [Group: Sequence]
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 0
    [Calculated window size: 0]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0x0356 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Urgent pointer: 0
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 5461]
        [The RTT to ACK the segment was: 0.000860000 seconds]
        [iRTT: 0.000860000 seconds]

No.     Time     Source                Destination           Protocol Length Info
   5835 15:45:32 192.168.0.34         1.2.3.4       TCP      66     [TCP Spurious Retransmission] 49601→2221 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Frame 5835: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 1
Ethernet II, Src: AsustekC_c5:1c:1d (54:04:a6:c5:1c:1d), Dst: AsustekC_9d:97:62 (00:26:18:9d:97:62)
Internet Protocol Version 4, Src: 192.168.0.34 (192.168.0.34), Dst:1.2.3.4 (188.234.249.229)
    Version: 4
    Header Length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 52
    Identification: 0x62f9 (25337)
    Flags: 0x02 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (6)
    Header checksum: 0x2030 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 192.168.0.34 (192.168.0.34)
    Destination:1.2.3.4 (188.234.249.229)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 49601 (49601), Dst Port: 2221 (2221), Seq: 0, Len: 0
    Source Port: 49601 (49601)
    Destination Port: 2221 (2221)
    [Stream index: 331]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    Acknowledgment number: 0
    Header Length: 32 bytes
    .... 0000 0000 0010 = Flags: 0x002 (SYN)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 2221]
                [Connection establish request (SYN): server port 2221]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ...0 = Fin: Not set
    Window size value: 8192
    [Calculated window size: 8192]
    Checksum: 0xa29c [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Urgent pointer: 0
    Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
        Maximum segment size: 1460 bytes
            Kind: Maximum Segment Size (2)
            Length: 4
            MSS Value: 1460
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Window scale: 2 (multiply by 4)
            Kind: Window Scale (3)
            Length: 3
            Shift count: 2
            [Multiplier: 4]
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        TCP SACK Permitted Option: True
            Kind: SACK Permitted (4)
            Length: 2
    [SEQ/ACK analysis]
        [iRTT: 0.000860000 seconds]
        [TCP Analysis Flags]
            [Expert Info (Note/Sequence): This frame is a (suspected) spurious retransmission]
                [This frame is a (suspected) spurious retransmission]
                [Severity level: Note]
                [Group: Sequence]
            [Expert Info (Note/Sequence): This frame is a (suspected) retransmission]
                [This frame is a (suspected) retransmission]
                [Severity level: Note]
                [Group: Sequence]

No.     Time     Source                Destination           Protocol Length Info
   5837 15:45:321.2.3.4       192.168.0.34          TCP      54     2221→49601 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

Frame 5837: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 1
Ethernet II, Src: AsustekC_9d:97:62 (00:26:18:9d:97:62), Dst: AsustekC_c5:1c:1d (54:04:a6:c5:1c:1d)
Internet Protocol Version 4, Src:1.2.3.4 (188.234.249.229), Dst: 192.168.0.34 (192.168.0.34)
    Version: 4
    Header Length: 20 bytes
    Differentiated Services Field: 0x04 (DSCP 0x01: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 01.. = Differentiated Services Codepoint: Unknown (0x01)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 40
    Identification: 0x0000 (0)
    Flags: 0x02 (Don't Fragment)
    Fragment offset: 0
    Time to live: 62
    Protocol: TCP (6)
    Header checksum: 0xc531 [validation disabled]
        [Good: False]
        [Bad: False]
    Source:1.2.3.4 (188.234.249.229)
    Destination: 192.168.0.34 (192.168.0.34)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 2221 (2221), Dst Port: 49601 (49601), Seq: 1, Ack: 1, Len: 0
    Source Port: 2221 (2221)
    Destination Port: 49601 (49601)
    [Stream index: 331]
    [TCP Segment Len: 0]
    Sequence number: 1    (relative sequence number)
    Acknowledgment number: 1    (relative ack number)
    Header Length: 20 bytes
    .... 0000 0001 0100 = Flags: 0x014 (RST, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .1.. = Reset: Set
            [Expert Info (Warn/Sequence): Connection reset (RST)]
                [Connection reset (RST)]
                [Severity level: Warn]
                [Group: Sequence]
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 0
    [Calculated window size: 0]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0x0356 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Urgent pointer: 0
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 5835]
        [The RTT to ACK the segment was: 0.000863000 seconds]
        [iRTT: 0.000860000 seconds]

No.     Time     Source                Destination           Protocol Length Info
   5850 15:45:32 1.2.3.5      1.2.3.4       TCP      66     [TCP Spurious Retransmission] 63312→2221 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Frame 5850: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: AsustekC_9d:99:c6 (00:26:18:9d:99:c6), Dst: IETF-VRRP-VRID_0d (00:00:5e:00:01:0d)
Internet Protocol Version 4, Src: 1.2.3.5 (1.2.3.5), Dst:1.2.3.4 (188.234.249.229)
    Version: 4
    Header Length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 52
    Identification: 0x62f9 (25337)
    Flags: 0x02 (Don't Fragment)
    Fragment offset: 0
    Time to live: 126
    Protocol: TCP (6)
    Header checksum: 0x2b68 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 1.2.3.5 (1.2.3.5)
    Destination:1.2.3.4 (188.234.249.229)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 63312 (63312), Dst Port: 2221 (2221), Seq: 0, Len: 0
    Source Port: 63312 (63312)
    Destination Port: 2221 (2221)
    [Stream index: 330]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    Acknowledgment number: 0
    Header Length: 32 bytes
    .... 0000 0000 0010 = Flags: 0x002 (SYN)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 2221]
                [Connection establish request (SYN): server port 2221]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ...0 = Fin: Not set
    Window size value: 8192
    [Calculated window size: 8192]
    Checksum: 0x7645 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Urgent pointer: 0
    Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
        Maximum segment size: 1460 bytes
            Kind: Maximum Segment Size (2)
            Length: 4
            MSS Value: 1460
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Window scale: 2 (multiply by 4)
            Kind: Window Scale (3)
            Length: 3
            Shift count: 2
            [Multiplier: 4]
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        TCP SACK Permitted Option: True
            Kind: SACK Permitted (4)
            Length: 2
    [SEQ/ACK analysis]
        [iRTT: 0.000788000 seconds]
        [TCP Analysis Flags]
            [Expert Info (Note/Sequence): This frame is a (suspected) spurious retransmission]
                [This frame is a (suspected) spurious retransmission]
                [Severity level: Note]
                [Group: Sequence]
            [Expert Info (Note/Sequence): This frame is a (suspected) retransmission]
                [This frame is a (suspected) retransmission]
                [Severity level: Note]
                [Group: Sequence]

Написано более трёх лет назад

mishka_abramov @mishka_abramov Автор вопроса

Игорь: если я всё таки верно понимаю, проблема с возвратом пакета.

Написано более трёх лет назад
mishka_abramov @mishka_abramov Автор вопроса

Игорь:

Еще может что-то может подсказать сам шарк, ибо я, если честно, со своими эникейными знаниями слаб.

Написано более трёх лет назад
Игорь @merryjane

Да, похоже на то. Но не могу сказать почему так происходит.

Написано более трёх лет назад

Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы

Linux

+2 ещё

Простой
Чем настраивать ACL на серверах Linux?
- 1 подписчик
- вчера
- 108 просмотров
1

ответ
Linux

+1 ещё

Простой
Как в Centos (или других линуксах) настроить эмуляцию мышиных движений и кнопок с клавиатуры?
- 2 подписчика
- 13 апр.
- 410 просмотров
2

ответа
CentOS

Простой
Как установить mod_evasive на Centos 9?
- 1 подписчик
- 05 апр.
- 40 просмотров
1

ответ
Ubuntu

+2 ещё

Простой
Как поменять порт openvpn клиента на ubuntu 22?
- 1 подписчик
- 02 апр.
- 106 просмотров
1

ответ
PHP

+2 ещё

Средний
Как заставить принтер(ы) печатать с удаленного сервера?
- 1 подписчик
- 16 мар.
- 316 просмотров
4

ответа
OpenVPN

+1 ещё

Простой
Как настроить правило iptables, чтобы конкретный ip шел через локальный прокси?
- 1 подписчик
- 07 мар.
- 135 просмотров
1

ответ
VPN

+2 ещё

Простой
Почему не доходят запросы к ДНС серверу в локальной сети из другой сети?
- 1 подписчик
- 06 мар.
- 285 просмотров
1

ответ
1С-Битрикс

+3 ещё

Средний
Как изменить ip в виртуальной машине битрикса bitrixvm9 развернутой на esxi на внешний ip?
- 1 подписчик
- 04 мар.
- 130 просмотров
1

ответ
1С-Битрикс

+3 ещё

Средний
Как исправить ошибку связанную с rpm-package во время установки виртуального окружения битрикс на виртуальную машину с CentOS 7?
- 1 подписчик
- 04 мар.
- 63 просмотра
1

ответ
CentOS

+2 ещё

Средний
Как перегенерировать сертификаты ssl для dovecot на centos?
- 1 подписчик
- 24 февр.
- 64 просмотра
1

ответ
Показать ещё Загружается…

DevOps (openstack/k8s) инженер

Wanted. • Москва

До 280 000 ₽

UX/UI Дизайнер

REES46

До 80 000 ₽

PHP и Node.js разработчик

TripShock Adventures

от 1 000 до 2 500 $

Answer 1 · 2015-02-04 16:47:50

Владимир @rostel

:FORWARD ACCEPT [0:0] - говорит о том что не разрешен форвардинг в ядре
sysctl -w net.ipv4.ip_forward=1

Ответ написан более трёх лет назад

4 комментария

Answer 2 · 2015-02-04 17:06:03

Игорь @merryjane

Системный администратор

Похоже не хватает обратного правила:

-A POSTROUTING -d 1.2.3.5:2221 -p tcp -m tcp --dport 2221 -j SNAT --to-source 1.2.3.4

Ответ написан более трёх лет назад

17 комментариев

Как сделать правильный проброс портов через iptables в centos?

Войдите, чтобы написать ответ

Минуточку внимания

Войдите на сайт