启动两个docker实例,他们的名字是 test 以及 test_gw (作为baidu url的gateway)
- test
docker run --name test --cap-add=NET_ADMIN --cap-add=NET_RAW -d test:1.2
The ip of eth0 in test
container is 172.17.0.4
# ping www.baidu.com
PING www.baidu.com (180.101.49.12): 56 data bytes
64 bytes from 180.101.49.12: seq=0 ttl=37 time=28.758 ms
We got the ip of baidu.com
is 180.101.49.12 from test
# ip tunnel add tun0 mode gre remote 172.17.0.5 local 172.17.0.4 ttl 64
# ip tunnel add tun0 mode gre remote 172.17.0.5 local 172.17.0.4 ttl 64
# ip link set tun0 up
# ip addr add 100.64.0.1 peer 100.64.0.2 dev tun0
# ip route add 180.101.49.0/24 via 100.64.0.1 dev tun0
- test_gw
docker run --name test_gw --cap-add=NET_ADMIN --cap-add=NET_RAW -d test:1.2
The ip of eth0 is 172.17.0.5
# ip tunnel add tun0 mode gre remote 172.17.0.4 local 172.17.0.5 ttl 64
# ip link set tun0 up
# ip addr add 100.64.0.2 peer 100.64.0.1 dev tun0
# ip route add 180.101.49.0/24 via 100.64.0.2 dev tun0
Add net
# iptables -t nat -A POSTROUTING -d 180.101.49.0/24 -j MASQUERADE
问题
-
在test里 执行
nc -v www.baidu.com 443
得到错误nc: getaddrinfo: Try again
-
如果执行
nc -v 180.101.49.12 443
在test里,同时在test_gw
tcpdump抓包,
03:55:04.573358 IP 100.64.0.1.41036 > 180.101.49.12.443: Flags [S], seq 1595471296, win 64620, options [mss 1436,sackOK,TS val 1040158415 ecr 0,nop,wscale 7], length 0
03:55:04.573392 IP 100.64.0.2.41036 > 180.101.49.12.443: Flags [S], seq 1595471296, win 64620, options [mss 1436,sackOK,TS val 1040158415 ecr 0,nop,wscale 7], length 0
03:55:04.573455 IP 100.64.0.1 > 100.64.0.2: ICMP redirect 180.101.49.12 to host 180.101.49.12, length 68
03:55:04.573466 IP 100.64.0.2.41036 > 180.101.49.12.443: Flags [S], seq 1595471296, win 64620, options [mss 1436,sackOK,TS val 1040158415 ecr 0,nop,wscale 7], length 0
03:55:05.571442 IP 100.64.0.1.41036 > 180.101.49.12.443: Flags [S], seq 1595471296, win 64620, options [mss 1436,sackOK,TS val 1040159448 ecr 0,nop,wscale 7], length 0
03:55:05.571486 IP 100.64.0.2.41036 > 180.101.49.12.443: Flags [S], seq 1595471296, win 64620, options [mss 1436,sackOK,TS val 1040159448 ecr 0,nop,wscale 7], length 0
只有sync 包,即使加上 nat 也是如此。
TODO: check the seq number of [fin]
04:46:36.504551 IP 100.64.0.1.34044 > 180.101.49.12.443: Flags [S], seq 1712910769, win 64620, options [mss 1436,sackOK,TS val 1686209722 ecr 0,nop,wscale 7], length 0
04:46:36.534046 IP 180.101.49.12.443 > 100.64.0.1.34044: Flags [S.], seq 452857006, ack 1712910770, win 65535, options [mss 1460,wscale 2,eol], length 0
04:46:36.534238 IP 100.64.0.1.34044 > 180.101.49.12.443: Flags [.], ack 1, win 505, length 0
04:50:09.828412 IP 100.64.0.1.34044 > 180.101.49.12.443: Flags [F.], seq 1, ack 1, win 505, length 0
04:50:09.828936 IP 180.101.49.12.443 > 100.64.0.1.34044: Flags [.], ack 2, win 65535, length 0
04:50:46.342173 IP 180.101.49.12.443 > 100.64.0.1.34044: Flags [F.], seq 1, ack 2, win 65535, length 0
04:50:46.342297 IP 100.64.0.1.34044 > 180.101.49.12.443: Flags [.], ack 2, win 505, length 0