潛下去是為了浮出來: Ftp 傳檔會卡彈

話說某台主機，要開Ftp 服務，

所以用 iptables 對應 2121 port來對應這台主機的21 Port

iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 2121 -j DNAT --to-destination 192.168.1.123:21

然後Data Port 指定 2122

怪事就發生了.....

在主機(1.2.3.4)傳部分檔案時到NAT(2.3.4.5)後的一台Ftp Server，

會卡住，甚至突然連不到，

但從其它遠端主機(試過三個點)，都可正常連線傳檔，

真的有一種鬼打牆的感覺，

改過不同Port，也一樣，

讓Ftp server 和 iptables mapping的port 一致，也一樣，

iptables 加上以下這段，也一樣

iptables -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS –clamp-mss-to-pmtu

修改MTU 的值，也一樣

實在想不通，其它台都不會這樣，只有1.2.3.4會這樣，

最後清linux arp cache，好像有點用喔

又可開始傳了，

但會不會又突中斷呢????????

果然在剩551bytes又卡住了...

真的很不解...

用Tcpdump的記錄

不太對的結束

10:46:28.736435 IP 1.2.3.4.50587 > 2.3.4.5.HINET-IP.hinet.net.2122: . 2766512:2767964(1452) ack 1 win 260

10:46:28.736545 IP 1.2.3.4.50587 > 2.3.4.5.HINET-IP.hinet.net.2122: P 2767964:2768896(932) ack 1 win 260

10:46:28.737296 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.50587: . ack 2762156 win 65535

10:46:28.737320 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.50587: . ack 2765060 win 65535

10:46:28.737342 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.50587: . ack 2767964 win 65535

10:46:28.815986 IP 1.2.3.4.50587 > 2.3.4.5.HINET-IP.hinet.net.2122: P 2768896:2769447(551) ack 1 win 260

10:46:28.860889 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.50587: . ack 2768896 win 64603

10:46:28.939158 IP 1.2.3.4.50587 > 2.3.4.5.HINET-IP.hinet.net.2122: F 2769447:2769447(0) ack 1 win 260

10:46:28.939297 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.50587: . ack 2768896 win 64603 <nop,nop,sack 1 {2769447:2769448}>

10:46:29.250230 IP 1.2.3.4.50587 > 2.3.4.5.HINET-IP.hinet.net.2122: FP 2768896:2769447(551) ack 1 win 260

10:46:29.858240 IP 1.2.3.4.50587 > 2.3.4.5.HINET-IP.hinet.net.2122: FP 2768896:2769447(551) ack 1 win 260

10:46:31.059439 IP 1.2.3.4.50587 > 2.3.4.5.HINET-IP.hinet.net.2122: FP 2768896:2769447(551) ack 1 win 260

10:46:33.462147 IP 1.2.3.4.50587 > 2.3.4.5.HINET-IP.hinet.net.2122: FP 2768896:2769447(551) ack 1 win 260

10:46:38.266560 IP 1.2.3.4.50587 > 2.3.4.5.HINET-IP.hinet.net.2122: FP 2768896:2769447(551) ack 1 win 260

10:46:47.875998 IP 1.2.3.4.50587 > 2.3.4.5.HINET-IP.hinet.net.2122: R 2769448:2769448(0) ack 1 win 0

10:46:47.876140 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.50587: . ack 2768896 win 64603 <nop,nop,sack 1 {2769447:2769448}>

很巧.......檔案都剩 551 bytes，就卡住

17:45:35.147219 IP 1.2.3.4.51458 > 2.3.4.5.HINET-IP.hinet.net.2122: . 798980:800432(1452) ack 1 win 260

17:45:35.147473 IP 1.2.3.4.51458 > 2.3.4.5.HINET-IP.hinet.net.2122: . 800432:801884(1452) ack 1 win 260

17:45:35.147516 IP 1.2.3.4.51458 > 2.3.4.5.HINET-IP.hinet.net.2122: P 801884:802435(551) ack 1 win 260

17:45:35.147732 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.51458: . ack 800432 win 65535

17:45:35.205000 IP 1.2.3.4.51458 > 2.3.4.5.HINET-IP.hinet.net.2122: F 802435:802435(0) ack 1 win 260

17:45:35.205146 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.51458: . ack 801884 win 65535 <nop,nop,sack 1 {802435:802436}>

17:45:35.588111 IP 1.2.3.4.51458 > 2.3.4.5.HINET-IP.hinet.net.2122: FP 801884:802435(551) ack 1 win 260

17:45:36.196605 IP 1.2.3.4.51458 > 2.3.4.5.HINET-IP.hinet.net.2122: FP 801884:802435(551) ack 1 win 260

17:45:37.397616 IP 1.2.3.4.51458 > 2.3.4.5.HINET-IP.hinet.net.2122: FP 801884:802435(551) ack 1 win 260

17:45:39.816028 IP 1.2.3.4.51458 > 2.3.4.5.HINET-IP.hinet.net.2122: FP 801884:802435(551) ack 1 win 260

17:45:44.623436 IP 1.2.3.4.51458 > 2.3.4.5.HINET-IP.hinet.net.2122: FP 801884:802435(551) ack 1 win 260

17:45:45.217163 IP 192.168.65.112.2122 > 1.2.3.4.51451: F 2694783966:2694783966(0) ack 11686513 win 65535

17:45:54.229889 IP 1.2.3.4.51458 > 2.3.4.5.HINET-IP.hinet.net.2122: R 802436:802436(0) ack 1 win 0

17:45:54.230053 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.51458: . ack 801884 win 65535 <nop,nop,sack 1 {802435:802436}>

17:46:15.294639 IP 192.168.65.112.2122 > 1.2.3.4.51451: F 0:0(0) ack 1 win 65535

第二種異常的情形(似乎在交握後就卡住了)

14:38:40.410298 IP 1.2.3.4.59798 > 2.3.4.5.HINET-IP.hinet.net.2122: S 405981170:405981170(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>

14:38:40.410419 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.59798: S 3427131497:3427131497(0) ack 405981171 win 16384 <mss 1452,nop,wscale 0,nop,nop,sackOK>

14:38:40.488246 IP 1.2.3.4.59798 > 2.3.4.5.HINET-IP.hinet.net.2122: . ack 1 win 260

14:38:40.569975 IP 1.2.3.4.59798 > 2.3.4.5.HINET-IP.hinet.net.2122: R 1:23(22) ack 1 win 260

為何要發RST，真不明白

14:38:41.760530 IP 1.2.3.4.59800 > 2.3.4.5.HINET-IP.hinet.net.2122: S 321932119:321932119(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>

14:38:41.760722 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.59800: S 1062905933:1062905933(0) ack 321932120 win 16384 <mss 1452,nop,wscale 0,nop,nop,sackOK>

14:38:41.838006 IP 1.2.3.4.59800 > 2.3.4.5.HINET-IP.hinet.net.2122: . ack 1 win 260

14:38:41.918221 IP 1.2.3.4.59800 > 2.3.4.5.HINET-IP.hinet.net.2122: R 1:23(22) ack 1 win 260

14:38:43.121001 IP 1.2.3.4.59802 > 2.3.4.5.HINET-IP.hinet.net.2122: S 1507780913:1507780913(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>

正常的開始(Data Port)

15:07:45.974673 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: S 1826863521:1826863521(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>

15:07:45.974874 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.60640: S 2262885533:2262885533(0) ack 1826863522 win 16384 <mss 1452,nop,wscale 0,nop,nop,sackOK>

15:07:46.070670 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . ack 1 win 260

15:07:46.169251 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . 1:1453(1452) ack 1 win 260

15:07:46.169498 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . 1453:2905(1452) ack 1 win 260

15:07:46.170015 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.60640: . ack 2905 win 65535

15:07:46.267141 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . 2905:4357(1452) ack 1 win 260

15:07:46.267509 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . 4357:5809(1452) ack 1 win 260

15:07:46.267748 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . 5809:7261(1452) ack 1 win 260

15:07:46.268000 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: P 7261:8713(1452) ack 1 win 260

15:07:46.268042 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.60640: . ack 5809 win 65535

15:07:46.268524 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.60640: . ack 8713 win 65535

15:07:46.366657 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . 8713:10165(1452) ack 1 win 260

15:07:46.366899 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . 10165:11617(1452) ack 1 win 260

15:07:46.367144 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . 11617:13069(1452) ack 1 win 260

15:07:46.367265 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . 13069:14521(1452) ack 1 win 260

15:07:46.367420 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.60640: . ack 11617 win 65535

15:07:46.367486 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . 14521:15973(1452) ack 1 win 260

15:07:46.367788 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.60640: . ack 14521 win 65535

15:07:46.367895 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: P 15973:17425(1452) ack 1 win 260

15:07:46.368141 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . 17425:18877(1452) ack 1 win 260

15:07:46.368262 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . 18877:20329(1452) ack 1 win 260

15:07:46.368408 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.60640: . ack 17425 win 65535

15:07:46.368777 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.60640: . ack 20329 win 65535

15:07:46.464389 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . 20329:21781(1452) ack 1 win 260

15:07:46.464681 IP 1.2.3.4.60640 > 2.3.4.5.HINET-IP.hinet.net.2122: . 21781:23233(1452) ack 1 win 260

正常的結束(Datat Port)

17:30:19.056592 IP 1.2.3.4.50695 > 2.3.4.5.HINET-IP.hinet.net.2122: . 3272705:3274157(1452) ack 1 win 16698

17:30:19.057060 IP 1.2.3.4.50695 > 2.3.4.5.HINET-IP.hinet.net.2122: . 3274157:3275609(1452) ack 1 win 16698

17:30:19.057102 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.50695: . ack 3274157 win 65535

17:30:19.057159 IP 1.2.3.4.50695 > 2.3.4.5.HINET-IP.hinet.net.2122: P 3275609:3276801(1192) ack 1 win 16698

17:30:19.057280 IP 1.2.3.4.50695 > 2.3.4.5.HINET-IP.hinet.net.2122: P 3276801:3277659(858) ack 1 win 16698

17:30:19.057674 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.50695: . ack 3276801 win 65535

17:30:19.135571 IP 1.2.3.4.50695 > 2.3.4.5.HINET-IP.hinet.net.2122: F 3277659:3277659(0) ack 1 win 16698

17:30:19.135721 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.50695: . ack 3277660 win 64677

17:30:19.135971 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.50695: F 1:1(0) ack 3277660 win 64677

17:30:19.214566 IP 1.2.3.4.50695 > 2.3.4.5.HINET-IP.hinet.net.2122: . ack 2 win 16698

17:30:19.486572 IP 1.2.3.4.50696 > 2.3.4.5.HINET-IP.hinet.net.2122: S 497897029:497897029(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>

17:30:19.486764 IP 2.3.4.5.HINET-IP.hinet.net.2122 > 1.2.3.4.50696: S 20995647:20995647(0) ack 497897030 win 16384 <mss 1452,nop,wscale 0,nop,nop,sackOK>

17:30:19.554628 IP 1.2.3.4.50696 > 2.3.4.5.HINET-IP.hinet.net.2122: . ack 1 win 16698

TCP與UDP

控制旗標的解釋

http://www.pcnet.idv.tw/pcnet/network/network_ip_tcp.htm

潛下去是為了浮出來

Ftp 傳檔會卡彈

沒有留言:

張貼留言

總網頁瀏覽量