Opened 11 years ago

Last modified 7 years ago

#4 assigned defect

ルータPCのLAN側配下のクライアントPCから、ルータPCのWAN側IPを使ってルータPCと通信できない

Reported by: mitty Owned by: mitty
Priority: major Component: network
Keywords: Cc:

Description (last modified by mitty)

  • Ubuntuでルータを構成している場合、LAN側のクライアントPCからルータPCのLAN側IPへの通信は当然出来るが、WAN側IPを用いてルータPCと通信することが出来ない。

Change History (9)

comment:1 Changed 11 years ago by mitty

  • Description modified (diff)
  • Summary changed from ルータPCのWAN側IPを使って、LAN内からルータPC上のサービスに接続できない to ルータPCのLAN側配下のクライアントPCから、ルータPCのWAN側IPを使ってルータPCと通信できない

133.xy.zz.39

  • ネットワーク図
         133.xy.zz.39
              |
           <eth1>
       <<ubuntu-napt>>
           <eth0>
              |
       192.168.100.254
              |
              |
    ((192.168.100.0/24))
                  |
                  |
            Win Vista(192.168.100.250)
    
  • Vista> ping 133.xy.zz.39 -n 1
    • timed out
    1. ubuntu-napt:eth0 icmp
      16:03:26.761563 IP 192.168.100.250 > 133.xy.zz.39: ICMP echo request, id 1, seq 7590, length 40
      
    2. ubuntu-napt:eth1 icmp
      16:03:26.761625 IP 133.xy.zz.39 > 192.168.100.250: ICMP echo reply, id 1, seq 7590, length 40
      
  • Vista => https://133.xy.zz.39:443/ にアクセスした場合
    • 接続不能
    1. ubuntu-napt:eth0 port 443
      16:07:18.202831 IP 192.168.100.250.49492 > 133.xy.zz.39.443: S 1239710250:1239710250(0) win 8192 <mss 1460,nop,nop,sackOK>
      16:07:21.186875 IP 192.168.100.250.49492 > 133.xy.zz.39.443: S 1239710250:1239710250(0) win 8192 <mss 1460,nop,nop,sackOK>
      16:07:27.187690 IP 192.168.100.250.49492 > 133.xy.zz.39.443: S 1239710250:1239710250(0) win 8192 <mss 1460,nop,nop,sackOK>
      
    2. ubuntu-napt:eth1 port 443
      16:07:18.203252 IP 133.xy.zz.39.443 > 192.168.100.250.49492: S 2405461547:2405461547(0) ack 1239710251 win 5840 <mss 1460,nop,nop,sackOK>
      16:07:21.187170 IP 133.xy.zz.39.443 > 192.168.100.250.49492: S 2405461547:2405461547(0) ack 1239710251 win 5840 <mss 1460,nop,nop,sackOK>
      16:07:21.462811 IP 133.xy.zz.39.443 > 192.168.100.250.49492: S 2405461547:2405461547(0) ack 1239710251 win 5840 <mss 1460,nop,nop,sackOK>
      16:07:27.187721 IP 133.xy.zz.39.443 > 192.168.100.250.49492: S 2405461547:2405461547(0) ack 1239710251 win 5840 <mss 1460,nop,nop,sackOK>
      16:07:27.463155 IP 133.xy.zz.39.443 > 192.168.100.250.49492: S 2405461547:2405461547(0) ack 1239710251 win 5840 <mss 1460,nop,nop,sackOK>
      16:07:31.262990 IP 133.xy.zz.39.443 > 192.168.100.250.49491: S 1142715877:1142715877(0) ack 2564162534 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 5>
      16:07:39.462611 IP 133.xy.zz.39.443 > 192.168.100.250.49492: S 2405461547:2405461547(0) ack 1239710251 win 5840 <mss 1460,nop,nop,sackOK>
      16:08:03.462984 IP 133.xy.zz.39.443 > 192.168.100.250.49492: S 2405461547:2405461547(0) ack 1239710251 win 5840 <mss 1460,nop,nop,sackOK>
      

comment:2 Changed 11 years ago by mitty

  • Description modified (diff)

comment:3 Changed 11 years ago by mitty

  • LAN側クライアントPCから https://192.168.100.254:443/ を開くことは可能

comment:4 Changed 11 years ago by mitty

解法

  • sudo iptables -t nat -A PREROUTING -p tcp -i eth0 -s ! 192.168.100.254 --dport 443 -j DNAT --to-destination 192.168.100.254:443
  • Vista => https://133.xy.zz.39:443/ にアクセスした場合
    • 接続可能
    1. ubuntu-napt:eth0 port 443
      16:21:31.709397 IP 192.168.100.250.49497 > 133.xy.zz.39.443: S 1565904180:1565904180(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
      16:21:31.709646 IP 133.xy.zz.39.443 > 192.168.100.250.49497: S 2896602104:2896602104(0) ack 1565904181 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 5>
      16:21:31.710563 IP 192.168.100.250.49497 > 133.xy.zz.39.443: . ack 1 win 16425
      16:21:31.714430 IP 192.168.100.250.49497 > 133.xy.zz.39.443: P 1:102(101) ack 1 win 16425
      16:21:31.714477 IP 133.xy.zz.39.443 > 192.168.100.250.49497: . ack 102 win 183
      16:21:31.715399 IP 133.xy.zz.39.443 > 192.168.100.250.49497: P 1:826(825) ack 102 win 183
      16:21:31.717080 IP 192.168.100.250.49497 > 133.xy.zz.39.443: P 102:300(198) ack 826 win 16218
      16:21:31.720111 IP 133.xy.zz.39.443 > 192.168.100.250.49497: P 826:885(59) ack 300 win 216
      16:21:31.876916 IP 192.168.100.250.49497 > 133.xy.zz.39.443: F 300:300(0) ack 885 win 16204
      16:21:31.877358 IP 133.xy.zz.39.443 > 192.168.100.250.49497: P 885:922(37) ack 301 win 216
      16:21:31.877613 IP 133.xy.zz.39.443 > 192.168.100.250.49497: F 922:922(0) ack 301 win 216
      16:21:31.878519 IP 192.168.100.250.49497 > 133.xy.zz.39.443: R 301:301(0) ack 922 win 0
      16:21:31.879718 IP 192.168.100.250.49498 > 133.xy.zz.39.443: S 4205676965:4205676965(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
      16:21:31.879852 IP 133.xy.zz.39.443 > 192.168.100.250.49498: S 2898732341:2898732341(0) ack 4205676966 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 5>
      16:21:31.880464 IP 192.168.100.250.49498 > 133.xy.zz.39.443: . ack 1 win 16425
      16:21:31.881477 IP 192.168.100.250.49498 > 133.xy.zz.39.443: P 1:134(133) ack 1 win 16425
      16:21:31.881529 IP 133.xy.zz.39.443 > 192.168.100.250.49498: . ack 134 win 216
      16:21:31.882356 IP 133.xy.zz.39.443 > 192.168.100.250.49498: P 1:139(138) ack 134 win 216
      16:21:31.883403 IP 192.168.100.250.49498 > 133.xy.zz.39.443: P 134:193(59) ack 139 win 16390
      16:21:31.890260 IP 192.168.100.250.49498 > 133.xy.zz.39.443: F 193:193(0) ack 139 win 16390
      16:21:31.890476 IP 133.xy.zz.39.443 > 192.168.100.250.49498: P 139:176(37) ack 194 win 216
      16:21:31.890566 IP 133.xy.zz.39.443 > 192.168.100.250.49498: F 176:176(0) ack 194 win 216
      16:21:31.891206 IP 192.168.100.250.49498 > 133.xy.zz.39.443: R 194:194(0) ack 176 win 0
      
  • 問題点
    • ubuntu-napt:eth0から入ってくる、443/tcp向けのパケットが全て192.168.100.254:443に向いてしまう。
      • PREROUTINGはMASQUERADEを行っているPOSTROUTINGチェインより先に評価されるため、外部のhttpsサイトを見ようとしてもhttps://192.168.100.254:443/に接続してしまう

comment:5 Changed 11 years ago by mitty

  • Description modified (diff)
  • Status changed from new to assigned

comment:6 Changed 11 years ago by mitty

解法

  • sudo iptables -t nat -A PREROUTING -p tcp -i eth0 -s ! 192.168.100.254 -d 133.xy.zz.39 --dport 443 -j DNAT --to-destination 192.168.100.254:443
  • -d オプションで、接続先がubuntu-napt:eth1のWAN側IPであるときだけDNATするようにする
  • 外部のhttpsサイトはマッチしないため、外部サイトに正常に接続できる
  • 問題点
    • WAN側IPがあらかじめ分かっている必要がある

comment:7 follow-up: Changed 11 years ago by mitty

解法

  • sudo iptables -t nat -D PREROUTING -i eth0 -s ! 192.168.100.254 -d 133.51.81.39 -j DNAT --to-destination 192.168.100.254


  • tcpなどのプロトコルを指定せず、全てのパケットをubuntu-napt:eth0に転送
    • Vista> ping 133.51.81.39 -n 1
      • 0% loss
      1. ubuntu-napt:eth0 icmp
        16:54:18.030325 IP 192.168.100.250 > 133.51.81.39: ICMP echo request, id 1, seq 7601, length 40
        16:54:18.030388 IP 133.51.81.39 > 192.168.100.250: ICMP echo reply, id 1, seq 7601, length 40
        
  • ポート毎にルールを追加しなくても一括で設定できる(icmp等もOK)
  • -d オプションを忘れると大変なことになるので注意(全てのパケットをubuntu-napt:eth0が受けてしまう)
  • 問題点
    • #comment:6同様、WAN側IPがあらかじめ分かっている必要がある

comment:8 in reply to: ↑ 7 Changed 11 years ago by mitty

mitty への返信

  • sudo iptables -t nat -D PREROUTING -i eth0 -s ! 192.168.100.254 -d 133.51.81.39 -j DNAT --to-destination 192.168.100.254
  • 正しくは => sudo iptables -t nat -A PREROUTING -i eth0 -s ! 192.168.100.254 -d 133.51.81.39 -j DNAT --to-destination 192.168.100.254
  • -s 192.168.100.0/24 としても問題ない

comment:9 Changed 11 years ago by mitty

Last edited 7 years ago by mitty (previous) (diff)
Note: See TracTickets for help on using tickets.