abs.twimg.comでTLSハンドシェイクを実行しています-サーバーハローがありません(Twitterページが正しく読み込まれていません)
このネットワークサーバーの背後にある2つのネットワークのネットワークトラフィックをフィルタリングするために、ルーター、ファイアウォール、およびプロキシ(透過モード)の役割で構成されたネットワークサーバーがあります。
両方のネットワークのホストは、あらゆる種類のWebサイト(銀行、電子メール、Facebook、Linkedinなど)を通常どおりナビゲートしていますが、Twitter Webサイトには非常に特殊な状況があり、偶然にも(1か月前から)同じです。 YoutubeとPinterestで起こり始めましたが、私はこれらの最後の2つのサービスに(今は)努力を集中していません。Twitterで何が起こっているのかを理解できれば、YoutubeとPinterestで何が起こっているのかを理解できると思います。 (多分...)。
基本的に、Twitterには特定のホスト/サーバーがあり、.CSSファイルと一部の画像の配信も担当します。ページを読み込もうとしているときに、左隅(下)にTLS handshake with abs.twimg.com...のようなメッセージが表示され、このメッセージが保持され、ページが正しく読み込まれなかったり、構造が不足しているなどのメッセージが表示されます。 、おそらく、このホストによって配信できない.CSSが原因で、ここで提示しているシナリオでは。
これまで、ホスト/サーバーを特定し、基本的にcurlを使用して簡単なリクエストを実行しようとしました。
私はそれを特定しました:
- sSLハンドシェイク中、
curlはServer Helloについて何も報告しません - ホスト/サーバーはリバースプロキシサーバーです(Xヘッダー...)
これまでの私の調査の詳細は次のとおりです。
ネットワークトポロジー
ルーティングテーブル(サーバー)
$ ip route
default via 192.168.100.254 dev eth1
10.255.255.0/26 dev eth2 proto kernel scope link src 10.255.255.62
192.168.0.0/24 dev eth2 proto kernel scope link src 192.168.0.1
192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.1
IPTABLES/Netfilter
# Generated by iptables-save v1.4.21 on Wed Aug 30 12:00:31 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# Transparent Proxy Rules (SQUID)
-A PREROUTING -i eth2 -s 10.255.255.0/26 -p tcp --dport 80 -j DNAT --to-destination 10.255.255.62:3128
-A PREROUTING -i eth2 -s 192.168.0.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1:3128
-A POSTROUTING -o eth1 -j MASQUERADE
-A PREROUTING -i eth1 -p tcp --sport 80 -j REDIRECT --to-port 3128
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Routing (eth2 [LAN] <-> [WAN] eth1)
-A FORWARD -i eth2 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allowing Established Connections
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allowing Localhost Traffic
-A INPUT -i lo -j ACCEPT
# Blocking Localhost Traffic (from unrecognized networks)
-A INPUT ! -i lo -s 127.0.0.1/8 -j REJECT
# ICMP (Ping)
-A INPUT -p icmp -m conntrack --ctstate NEW,ESTABLISHED,RELATED --icmp-type 8 -j ACCEPT
# SSH (Server Remote Access)
-A INPUT -i eth2 -p tcp --dport 22 -j ACCEPT
# DNS
-A INPUT -i eth2 -p udp --dport 53 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 53 -j ACCEPT
# DHCP
-A INPUT -i eth2 -p udp --dport 67 --sport 68 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 68 --sport 67 -j ACCEPT
# SAMBA File Server (LAN)
-A INPUT -i eth2 -p udp --dport 137 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 137 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 138 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 138 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 139 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 139 -j ACCEPT
-A INPUT -i eth2 -p udp --dport 445 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 445 -j ACCEPT
# EMAIL (SMTP)
-A INPUT -i eth2 -p tcp --dport 25 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 587 -j ACCEPT
# EMAIL (POP)
-A INPUT -i eth2 -p tcp --dport 110 -j ACCEPT
# EMAIL (IMAP)
-A INPUT -i eth2 -p tcp --dport 143 -j ACCEPT
# EMAIL (IMAP over SSL)
-A INPUT -i eth2 -p tcp --dport 993 -j ACCEPT
# EMAIL (POP over SSL)
-A INPUT -i eth2 -p tcp --dport 995 -j ACCEPT
# PRINTER
-A INPUT -i eth2 -p tcp --dport 515 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 631 -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 9100 -j ACCEPT
# SQUID3 (see table nat)
-A INPUT -i eth2 -p tcp --dport 3128 -j ACCEPT
# Log all incoming traffic that is not listed above...
-A INPUT -i eth2 -m limit --limit 1/min -j LOG --log-prefix "[netfilter-drop-in-lan] " --log-level 7
-A INPUT -i eth1 -m limit --limit 1/min -j LOG --log-prefix "[netfilter-drop-in-wan] " --log-level 7
# Rejecting everything not listed above.
-A INPUT -j REJECT
# Accepting OUTPUT of everything, on any interface.
-A OUTPUT -j ACCEPT
cURL
ルートサーバーの背後
$ curl https://abs.twimg.com/a/1425667452/css/t1/Twitter_core.bundle.css -v
Hostname was NOT found in DNS cache Trying 104.244.46.199...
Connected to abs.twimg.com (104.244.46.199) port 443 (#0) successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs SSLv3, TLS handshake, Client hello (1):
Operation timed out after 0 milliseconds with 0 out of 0 bytes received Closing connection 0
curl: (28) Operation timed out after 0 milliseconds with 0 out of 0 bytes received
ルートサーバーを渡すことによって
$ curl https://abs.twimg.com/a/1425667452/css/t1/Twitter_core.bundle.css -v
Hostname was NOT found in DNS cache Trying 72.21.91.70...
Connected to abs.twimg.com (72.21.91.70) port 443 (#0) successfully set certificate verify locations:
CAfile: none
CApath: /etc/ssl/certs SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS handshake, Server hello (2): SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server key exchange (12): SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16): SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20): SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20): SSL connection using ECDHE-RSA-AES128-GCM-SHA256
Server certificate: subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; OU=Twitter Security; CN=.twimg.com start date: 2017-12-02 00:00:00 GMT
expire date: 2018-12-05 12:00:00 GMT subjectAltName: abs.twimg.com matched
issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA SSL certificate verify ok.
GET /a/1425667452/css/t1/Twitter_core.bundle.css HTTP/1.1
User-Agent: curl/7.35.0
Host: abs.twimg.com
Accept: /
< HTTP/1.1 200 OK
< access-control-allow-Origin:
< Content-Type: text/css
< Date: Thu, 12 Apr 2018 16:48:28 GMT
< Etag: "guajswzGI2hE0uFUU9DNaw==+ident"
< expires: Fri, 12 Apr 2019 16:48:28 GMT
< Last-Modified: Fri, 06 Nov 2015 01:38:59 GMT Server ECS (dfw/2788) is not blacklisted
< Server: ECS (dfw/2788)
< surrogate-key: Twitter-assets
< Vary: Accept-Encoding
< X-Cache: HIT
< x-connection-hash: b9f823e9ff63b5f7f0bd142be924c75b
< x-content-type-options: nosniff
< x-response-time: 33
< x-ton-expected-size: 225802
< Content-Length: 225802
<
/! normalize.css v3.0.0 | MIT License | git.io/normalize /html{font-family:sans-serif;
TCPDUMP
- ルートサーバーの背後にあるホストの1つからcURLを実行していたときに実行されました
- このホストのDNS解決は動的(背後に多くのIP)があるため、
abs.twimg.comに異なるIPを使用しました。この場合、IPは104.244.46.231でした。 - lAN側のtcpdumpを見ると、このIPから2つのパッケージがあり、eth1(WAN)からeth2(LAN)にトラバースします。
LAN(192.168.0.0/24 + 10.255.255.0/26)
$ tcpdump -i eth2 -B 4096 -tttt -vvv dst 104.244.46.103 or src 104.244.46.103 or dst 104.244.46.135 or src 104.244.46.135 or dst 104.244.46.231 or src 104.244.46.231 or dst 72.21.91.70 or src 72.21.91.70 or dst 104.244.46.71 or src 104.244.46.71
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-04-12 13:24:25.427316 IP (tos 0x0, ttl 64, id 15106, offset 0, flags [DF], proto TCP (6), length 60)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [S], cksum 0x6c7b (correct), seq 1969112296, win 29200, options [mss 1460,sackOK,TS val 3702762 ecr 0,nop,wscale 7], length 0
2018-04-12 13:24:25.474012 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.0.12.54464: Flags [S.], cksum 0xd51d (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425241 ecr 3702762,nop,wscale 9], length 0
2018-04-12 13:24:25.475244 IP (tos 0x0, ttl 64, id 15107, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [.], cksum 0x73eb (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 3702774 ecr 2426425241], length 0
2018-04-12 13:24:25.476080 IP (tos 0x0, ttl 64, id 15108, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4480 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3702774 ecr 2426425241], length 295
2018-04-12 13:24:25.723055 IP (tos 0x0, ttl 64, id 15109, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4442 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3702836 ecr 2426425241], length 295
2018-04-12 13:24:25.971095 IP (tos 0x0, ttl 64, id 15110, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4404 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3702898 ecr 2426425241], length 295
2018-04-12 13:24:26.467091 IP (tos 0x0, ttl 64, id 15111, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4388 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3703022 ecr 2426425241], length 295
2018-04-12 13:24:26.491546 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.0.12.54464: Flags [S.], cksum 0xd412 (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425496 ecr 3702774,nop,wscale 9], length 0
2018-04-12 13:24:26.494245 IP (tos 0x0, ttl 64, id 15112, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [.], cksum 0x71c6 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3703028 ecr 2426425241], length 0
2018-04-12 13:24:27.459109 IP (tos 0x0, ttl 64, id 15113, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x4290 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3703270 ecr 2426425241], length 295
2018-04-12 13:24:29.447605 IP (tos 0x0, ttl 64, id 15114, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x409f (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3703767 ecr 2426425241], length 295
2018-04-12 13:24:33.420240 IP (tos 0x0, ttl 64, id 15115, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x3cbe (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3704760 ecr 2426425241], length 295
2018-04-12 13:24:41.371165 IP (tos 0x0, ttl 64, id 15116, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x34fa (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3706748 ecr 2426425241], length 295
2018-04-12 13:24:57.259220 IP (tos 0x0, ttl 64, id 15117, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x2576 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3710720 ecr 2426425241], length 295
2018-04-12 13:25:29.067129 IP (tos 0x0, ttl 64, id 15118, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x0666 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3718672 ecr 2426425241], length 295
2018-04-12 13:26:32.748577 IP (tos 0x0, ttl 64, id 15119, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0xc835 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3734592 ecr 2426425241], length 295
2018-04-12 13:28:32.811394 IP (tos 0x0, ttl 64, id 15120, offset 0, flags [DF], proto TCP (6), length 347)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [P.], cksum 0x52f5 (correct), seq 1:296, ack 1, win 229, options [nop,nop,TS val 3764608 ecr 2426425241], length 295
2018-04-12 13:29:25.551683 IP (tos 0x0, ttl 64, id 15121, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.12.54464 > **104.244.46.231.https**: Flags [F.], cksum 0x4db8 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3777792 ecr 2426425241], length 0
^C
18 packets captured
43 packets received by filter
0 packets dropped by kernel
WAN(192.168.100.0/24)
$ tcpdump -i eth1 -B 4096 -tttt -vvv dst 104.244.46.103 or src 104.244.46.103 or dst 104.244.46.135 or src 104.244.46.135 or dst 104.244.46.231 or src 104.244.46.231 or dst 72.21.91.70 or src 72.21.91.70 or dst 104.244.46.71 or src 104.244.46.71
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-04-12 13:24:25.427501 IP (tos 0x0, ttl 63, id 15106, offset 0, flags [DF], proto TCP (6), length 60)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [S], cksum 0x0886 (correct), seq 1969112296, win 29200, options [mss 1460,sackOK,TS val 3702762 ecr 0,nop,wscale 7], length 0
2018-04-12 13:24:25.473954 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.100.1.54464: Flags [S.], cksum 0x7128 (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425241 ecr 3702762,nop,wscale 9], length 0
2018-04-12 13:24:25.475333 IP (tos 0x0, ttl 63, id 15107, offset 0, flags [DF], proto TCP (6), length 52)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [.], cksum 0x0ff6 (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 3702774 ecr 2426425241], length 0
2018-04-12 13:24:26.491489 IP (tos 0x0, ttl 56, id 0, offset 0, flags [DF], proto TCP (6), length 60)
**104.244.46.231.https** > 192.168.100.1.54464: Flags [S.], cksum 0x701d (correct), seq 1110799867, ack 1969112297, win 28960, options [mss 1412,sackOK,TS val 2426425496 ecr 3702774,nop,wscale 9], length 0
2018-04-12 13:24:26.494369 IP (tos 0x0, ttl 63, id 15112, offset 0, flags [DF], proto TCP (6), length 52)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [.], cksum 0x0dd1 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3703028 ecr 2426425241], length 0
2018-04-12 13:29:25.551782 IP (tos 0x0, ttl 63, id 15121, offset 0, flags [DF], proto TCP (6), length 52)
192.168.100.1.54464 > **104.244.46.231.https**: Flags [F.], cksum 0xe9c2 (correct), seq 296, ack 1, win 229, options [nop,nop,TS val 3777792 ecr 2426425241], length 0
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
HTTPロギング(Firefox Quantum)
ルートサーバーの背後で、Mozilla Firefox Quantumの HTTP Logging 機能を使用しましたが、次のメッセージが表示されましたが、(少なくとも私にとっては)それほど明確ではありません。
2018-04-10 19:26:31.097581 UTC - [Main Thread]: D/nsHostResolver Resolving Host [abs.twimg.com].
2018-04-10 19:26:31.097602 UTC - [Main Thread]: D/nsHostResolver No usable address in cache for Host [abs.twimg.com].
2018-04-10 19:26:31.097640 UTC - [Main Thread]: D/nsHostResolver DNS lookup for Host [abs.twimg.com] blocking pending 'getaddrinfo' query: callback [0x7f8c647e11f0]
2018-04-10 19:26:31.097656 UTC - [DNS Resolver #3]: D/nsHostResolver DNS lookup thread - Calling getaddrinfo for Host [abs.twimg.com].
2018-04-10 19:26:31.221949 UTC - [DNS Resolver #3]: D/nsHostResolver DNS lookup thread - lookup completed for Host [abs.twimg.com]: success.
2018-04-10 19:26:31.221978 UTC - [DNS Resolver #3]: D/nsHostResolver Caching Host [abs.twimg.com] record for 60 seconds (grace 60).
2018-04-10 19:26:31.809789 UTC - [Main Thread]: D/nsHttp HttpChannelParent RecvAsyncOpen [this=0x7f8c7a424160 uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_Twitter_core.bundle.css, gid=27887222652930 topwinid=180000001]
2018-04-10 19:26:31.809835 UTC - [Main Thread]: V/nsHttp Host=abs.twimg.com port=-1
2018-04-10 19:26:31.809838 UTC - [Main Thread]: V/nsHttp uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_Twitter_core.bundle.css
2018-04-10 19:26:31.809961 UTC - [Main Thread]: D/nsHttp HttpChannelParent RecvAsyncOpen [this=0x7f8c7a424a60 uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_Twitter_more_1.bundle.css, gid=27887222652931 topwinid=180000001]
2018-04-10 19:26:31.809990 UTC - [Main Thread]: V/nsHttp Host=abs.twimg.com port=-1
2018-04-10 19:26:31.809993 UTC - [Main Thread]: V/nsHttp uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_Twitter_more_1.bundle.css
2018-04-10 19:26:31.810078 UTC - [Main Thread]: D/nsHttp HttpChannelParent RecvAsyncOpen [this=0x7f8c7a424b80 uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_Twitter_more_2.bundle.css, gid=27887222652932 topwinid=180000001]
2018-04-10 19:26:31.810106 UTC - [Main Thread]: V/nsHttp Host=abs.twimg.com port=-1
2018-04-10 19:26:31.810108 UTC - [Main Thread]: V/nsHttp uri=https://abs.twimg.com/a/1523337269/css/t1/nightmode_Twitter_more_2.bundle.css
2018-04-10 19:26:31.811307 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_Twitter_core.bundle.css]
2018-04-10 19:26:31.811328 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_Twitter_core.bundle.css, value=0x7f8c4a7dd7e8]
2018-04-10 19:26:31.811331 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_Twitter_core.bundle.css]
2018-04-10 19:26:31.811381 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]
2018-04-10 19:26:31.811398 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/, value=0x7f8c4a7dd828]
2018-04-10 19:26:31.811402 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]
2018-04-10 19:26:31.811799 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_Twitter_more_1.bundle.css]
2018-04-10 19:26:31.811819 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_Twitter_more_1.bundle.css, value=0x7f8c4a7dd808]
2018-04-10 19:26:31.811823 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key not found [this=0x7f8c3ec42e80, key=predictor::https://abs.twimg.com/a/1523337269/css/t1/nightmode_Twitter_more_1.bundle.css]
2018-04-10 19:26:31.811876 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]
2018-04-10 19:26:31.811890 UTC - [Main Thread]: D/cache2 CacheFileMetadata::SetElement() [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/, value=0x7f8c4a7dd848]
2018-04-10 19:26:31.811894 UTC - [Main Thread]: D/cache2 CacheFileMetadata::GetElement() - Key found [this=0x7f8c4059b580, key=predictor::https://abs.twimg.com/]
このすべての情報で、私は次の質問があります:
- ファイアウォールルールの不足、過剰、または設定ミスはありますか?
- Server Helloパッケージが
https://abs.twimg.com/a/1425667452/css/t1/Twitter_core.bundle.cssを要求したホストに到達できない理由(cURLで説明されているように)が、これからのいくつかのパッケージtcpdump出力に従って、ホストは通常、WAN/LAN(eth1/eth2)を通過していますか?
前に述べたように、LAN側の両方のネットワークのコンピューターは、HTTPまたはHTTPS(Google、Hotmail、Gmail、銀行口座、Amazonなど)を介して多くのサービスを使用しています...
相互作用や推測をありがとう:)。
*filter、2つのルールの順序を変更すると、接続が正常に流れ始めました(理由はわかりません)。
From:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate NEW,ESTABLISHED,RELATED --icmp-type 8 -j ACCEPT
宛先:
-A INPUT -p icmp -m conntrack --ctstate NEW,ESTABLISHED,RELATED --icmp-type 8 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
基本的に、この問題のリモートホストは、 IPTABLES Conntrack のおかげで接続を確立でき、conntrackテーブルとそのデータに基づいてリクエスターとの接続を開始し、DSTとSRCを変更します。場合。
詳細については: