Security group 的conntrack 問題
在AWS 上創建的EC2 有一個奇怪的問題,似乎是由於Security group 的conntrack 造成的,即使修改為允許所有UDP 流量也不行。
當self-hosted ipsec-vpn 和地端連結建立後,此時從地端無法ping 通雲端,也無法開始傳輸,但tunnel 已經建立,看狀態都是正常,
當從雲端的EC2 對地端發送一個ping 包之後,流量才開始傳輸,也就是說,首發流量必須由EC2 發起。
問題是否真的由security group 引起我沒有確認,因為我沒有什麼頭緒,但首發流量由EC2發起就能解決,看起來就是security group 的問題。解決這個問題倒是簡單,ping 一下。
在VPC 內使用VPN 服務建立的ipsec tunnel 則沒有這個問題,當然,由於那是managed service,我們不能明確AWS 到底在裡面搞了什麼,說不定他也是在底層的EC2 上ping 了一下。
所以問了AI,寫個定時ping 的script
sudo vi /usr/local/bin/multi-ping.sh
#!/bin/bash
# List of hosts to ping
HOSTS=(
"10.1.1.2"
"10.1.2.2"
"10.1.3.3"
)
# Ping interval in seconds
INTERVAL=60
while true; do
for host in "${HOSTS[@]}"; do
timestamp=$(date '+%Y-%m-%d %H:%M:%S')
ping -c 1 $host | while read pong; do
echo "[$timestamp] $host - $pong" >> /tmp/multi-ping.log
done
done
sleep $INTERVAL
done
然後創建一個service
sudo vi /etc/systemd/system/multi-ping.service
[Unit]
Description=Multiple Host Ping Service
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/local/bin/multi-ping.sh
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target
啟動他
sudo systemctl daemon-reload
sudo systemctl enable multi-ping
sudo systemctl start multi-ping
看一下log
[2025-04-03 00:44:25] 10.1.1.2 - 64 bytes from 10.1.1.2: icmp_seq=1 ttl=63 time=48.9 ms
[2025-04-03 00:44:25] 10.1.1.2 -
[2025-04-03 00:44:25] 10.1.1.2 - --- 10.1.1.2 ping statistics ---
[2025-04-03 00:44:25] 10.1.1.2 - 1 packets transmitted, 1 received, 0% packet loss, time 0ms
[2025-04-03 00:44:25] 10.1.1.2 - rtt min/avg/max/mdev = 48.931/48.931/48.931/0.000 ms
[2025-04-03 00:44:25] 10.1.3.3 - PING 10.1.3.3 (10.1.3.3) 56(84) bytes of data.
[2025-04-03 00:44:25] 10.1.3.3 - 64 bytes from 10.1.3.3: icmp_seq=1 ttl=63 time=301 ms
[2025-04-03 00:44:25] 10.1.3.3 -
[2025-04-03 00:44:25] 10.1.3.3 - --- 10.1.3.3 ping statistics ---
[2025-04-03 00:44:25] 10.1.3.3 - 1 packets transmitted, 1 received, 0% packet loss, time 0ms
[2025-04-03 00:44:25] 10.1.3.3 - rtt min/avg/max/mdev = 301.351/301.351/301.351/0.000 ms