Conntrack 将所有数据包标记为无效服务器,haproxy 在一个网络接口上包含多个 ip。
一切正常,因为我们不检查规则中的状态。我们做错了什么?
iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m set --match-set SOMESET src -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
连接跟踪-S
cpu=0 found=0 invalid=24192 insert=0 insert_failed=38 drop=38 early_drop=0 error=296 search_restart=30656
cpu=1 found=0 invalid=23796 insert=0 insert_failed=51 drop=51 early_drop=0 error=71 search_restart=30366
cpu=2 found=0 invalid=24212 insert=0 insert_failed=46 drop=46 early_drop=0 error=66 search_restart=31104
cpu=3 found=0 invalid=23979 insert=0 insert_failed=33 drop=33 early_drop=0 error=67 search_restart=30041
cpu=4 found=0 invalid=23967 insert=0 insert_failed=61 drop=61 early_drop=0 error=28 search_restart=31054
cpu=5 found=0 invalid=23917 insert=0 insert_failed=31 drop=31 early_drop=0 error=62 search_restart=30977
cpu=6 found=0 invalid=24110 insert=0 insert_failed=54 drop=54 early_drop=0 error=57 search_restart=30694
cpu=7 found=0 invalid=24151 insert=0 insert_failed=53 drop=53 early_drop=0 error=84 search_restart=30289
cpu=8 found=0 invalid=22103 insert=0 insert_failed=30 drop=30 early_drop=0 error=52 search_restart=28852
cpu=9 found=0 invalid=21935 insert=0 insert_failed=33 drop=33 early_drop=0 error=40 search_restart=29242
cpu=10 found=0 invalid=19963 insert=0 insert_failed=27 drop=27 early_drop=0 error=154 search_restart=13072
cpu=11 found=0 invalid=19561 insert=0 insert_failed=42 drop=42 early_drop=0 error=59 search_restart=13149
lsmod|grep conntrack
nf_conntrack_bridge 16384 0
bridge 253952 1 nf_conntrack_bridge
nf_conntrack_netlink 57344 0
xt_conntrack 16384 1
nfnetlink 16384 4 nft_compat,nf_conntrack_netlink,nf_tables,ip_set
nf_conntrack 176128 4 xt_conntrack,xt_state,nf_conntrack_netlink,nf_conntrack_bridge
nf_defrag_ipv6 24576 2 nf_conntrack,nf_conntrack_bridge
nf_defrag_ipv4 16384 1 nf_conntrack
x_tables 53248 8 xt_conntrack,nft_compat,xt_state,xt_tcpudp,xt_set,ipt_REJECT,ip_tables,ip6t_REJECT
libcrc32c 16384 4 nf_conntrack,btrfs,nf_tables,raid456
操作系统
Linux 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64 GNU/Linux
/etc/os-release:PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
/etc/os-release:NAME="Debian GNU/Linux"
/etc/os-release:VERSION_ID="11"
/etc/os-release:VERSION="11 (bullseye)"
/etc/os-release:VERSION_CODENAME=bullseye
/etc/os-release:ID=debian
/etc/os-release:HOME_URL="https://www.debian.org/"
/etc/os-release:SUPPORT_URL="https://www.debian.org/support"
/etc/os-release:BUG_REPORT_URL="https://bugs.debian.org/"
conntrack -E,好像一切正常
[NEW] tcp 6 120 SYN_SENT src=ip0 dst=ip1 sport=28830 dport=80 [UNREPLIED] src=ip1 dst=ip0 sport=80 dport=28830
[UPDATE] tcp 6 60 SYN_RECV src=ip0 dst=ip1 sport=28830 dport=80 src=ip1 dst=ip0 sport=80 dport=28830
[UPDATE] tcp 6 10 CLOSE src=ip0 dst=ip1 sport=28830 dport=80 src=ip1 dst=ip0 sport=80 dport=28830
更新:
-A INPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
我改变了规则。制作卷曲和统计数据与旧版本相同。没有新的连接。我认为 conntrack 工作正常,但统计数据不正确