Skip to content

Instantly share code, notes, and snippets.

@richzw

richzw/Dockerfile

Created March 9, 2022 04:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save richzw/2948a9bc2de8dca1811b69c42796a576 to your computer and use it in GitHub Desktop.
Save richzw/2948a9bc2de8dca1811b69c42796a576 to your computer and use it in GitHub Desktop.
Download ZIP
DockerTest
Raw
description.md

启动两个docker实例,他们的名字是 test 以及 test_gw (作为baidu url的gateway)

  1. test
docker run --name test --cap-add=NET_ADMIN --cap-add=NET_RAW -d test:1.2

The ip of eth0 in test container is 172.17.0.4

# ping www.baidu.com
PING www.baidu.com (180.101.49.12): 56 data bytes
64 bytes from 180.101.49.12: seq=0 ttl=37 time=28.758 ms

We got the ip of baidu.com is 180.101.49.12 from test 

# ip tunnel add tun0 mode gre remote 172.17.0.5 local 172.17.0.4 ttl 64
# ip tunnel add tun0 mode gre remote 172.17.0.5 local 172.17.0.4 ttl 64
# ip link set tun0 up
# ip addr add  100.64.0.1 peer 100.64.0.2 dev tun0

# ip route add 180.101.49.0/24 via 100.64.0.1 dev tun0
  1. test_gw
docker run --name test_gw --cap-add=NET_ADMIN --cap-add=NET_RAW -d test:1.2

The ip of eth0 is 172.17.0.5

# ip tunnel add tun0 mode gre remote 172.17.0.4 local 172.17.0.5 ttl 64
# ip link set tun0 up
# ip addr add 100.64.0.2 peer 100.64.0.1 dev tun0

# ip route add 180.101.49.0/24 via 100.64.0.2 dev tun0

Add net

# iptables -t nat -A POSTROUTING -d 180.101.49.0/24 -j MASQUERADE

问题

  1. 在test里 执行 nc -v www.baidu.com 443 得到错误 nc: getaddrinfo: Try again

  2. 如果执行 nc -v 180.101.49.12 443 在test里,同时在test_gw tcpdump抓包,

03:55:04.573358 IP 100.64.0.1.41036 > 180.101.49.12.443: Flags [S], seq 1595471296, win 64620, options [mss 1436,sackOK,TS val 1040158415 ecr 0,nop,wscale 7], length 0
03:55:04.573392 IP 100.64.0.2.41036 > 180.101.49.12.443: Flags [S], seq 1595471296, win 64620, options [mss 1436,sackOK,TS val 1040158415 ecr 0,nop,wscale 7], length 0
03:55:04.573455 IP 100.64.0.1 > 100.64.0.2: ICMP redirect 180.101.49.12 to host 180.101.49.12, length 68
03:55:04.573466 IP 100.64.0.2.41036 > 180.101.49.12.443: Flags [S], seq 1595471296, win 64620, options [mss 1436,sackOK,TS val 1040158415 ecr 0,nop,wscale 7], length 0
03:55:05.571442 IP 100.64.0.1.41036 > 180.101.49.12.443: Flags [S], seq 1595471296, win 64620, options [mss 1436,sackOK,TS val 1040159448 ecr 0,nop,wscale 7], length 0
03:55:05.571486 IP 100.64.0.2.41036 > 180.101.49.12.443: Flags [S], seq 1595471296, win 64620, options [mss 1436,sackOK,TS val 1040159448 ecr 0,nop,wscale 7], length 0

只有sync 包,即使加上 nat 也是如此。

Raw
Dockerfile
FROM alpine:latest
RUN apk add -U libcap netcat-openbsd
RUN apk add --no-cache iptables ip6tables
RUN apk --no-cache add tcpdump
ENTRYPOINT ["sleep", "1h"]
@richzw
Copy link
Author

richzw commented Mar 14, 2022

TODO: check the seq number of [fin]

04:46:36.504551 IP 100.64.0.1.34044 > 180.101.49.12.443: Flags [S], seq 1712910769, win 64620, options [mss 1436,sackOK,TS val 1686209722 ecr 0,nop,wscale 7], length 0
04:46:36.534046 IP 180.101.49.12.443 > 100.64.0.1.34044: Flags [S.], seq 452857006, ack 1712910770, win 65535, options [mss 1460,wscale 2,eol], length 0
04:46:36.534238 IP 100.64.0.1.34044 > 180.101.49.12.443: Flags [.], ack 1, win 505, length 0
04:50:09.828412 IP 100.64.0.1.34044 > 180.101.49.12.443: Flags [F.], seq 1, ack 1, win 505, length 0
04:50:09.828936 IP 180.101.49.12.443 > 100.64.0.1.34044: Flags [.], ack 2, win 65535, length 0
04:50:46.342173 IP 180.101.49.12.443 > 100.64.0.1.34044: Flags [F.], seq 1, ack 2, win 65535, length 0
04:50:46.342297 IP 100.64.0.1.34044 > 180.101.49.12.443: Flags [.], ack 2, win 505, length 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment