问题
tl;dr: I have a problem whereas a Port Forwarding is not working properly. The response never seems to come back (times out), despite seeing packets all the way.
Situation
In short: https://raspberry-ip:5555 should load https://server-ip:9999 but it doesn't despite the fact that the port forwarding seems to be working.
I have a server which replies to port 9999 with a website. I can access directly from my laptop.
I have a Raspberry Pi, which forwards the traffic to the server from local port 5555 to the port 9999 (details).
I can see the packets coming back to my laptop from the server.
However, the request times out on the browser (ERR_CONNECTION_TIMED_OUT).
Troubleshooting
Doing a tcpdump on port 5555 on the Raspberry Pi, I see the traffic incoming. Sample:
16:54:56.447235 IP 192.168.250.18.57300 > 192.168.250.8.5555: Flags [S], seq 691303721, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 280675211 ecr 0,sackOK,eol], length 0
Doing a tcpdump on port 9999 on the server looks fine, and coming directly from the laptop:
16:55:55.710925 IP 192.168.250.18.57315 > 192.168.250.250.9999: Flags [S], seq 2427731411, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 280734035 ecr 0,sackOK,eol], length 0
Doing a tcpdump from the server to the laptop (on the laptop), I can see interactions too:
17:12:43.653411 IP 192.168.250.250.9999 > 192.168.250.18.57998: Flags [S.], seq 1225747155, ack 4067090852, win 65160, options [mss 1460,sackOK,TS val 2493575411 ecr 281722216,nop,wscale 7], length 0
All the 3 machines (my laptop, the raspberry and the server) are on the same /24 subnet and all the routes are configured correctly. Additionally, I can ping the machines among them. So it doesn't look like an issue with routes.
回答1:
The problem is as follow
192.168.250.18 192.168.250.8 192.168.250.250
[client] ------ [raspberry] ----- [server]
What happens here is that server receives the redirected packet from the raspberry pi, but will try to return the packet directly to the client as they belong to the same subnet (this is an assumption though. can you confirm all devices have /24 network?). The client will then discard it because it's coming from the server's IP (192.168.250.250) address and it's not part of the initial session which client tried to establish to 192.168.250.8.
One way to solve this problem is to perform SNAT on raspberry
$ iptables -t nat -I POSTROUTING -p tcp -s 192.168.250.18 -d 192.168.250.250 -j MASQUERADE
This will change the source of the IP header when raspberry is sending traffic to the server , so the server will return the traffic to the raspberry and not directly to the client.
来源:https://stackoverflow.com/questions/65868741/response-to-ip-forwarded-port-not-coming-back