Security group 的conntrack 問題

在AWS 上創建的EC2 有一個奇怪的問題,似乎是由於Security group 的conntrack 造成的,即使修改為允許所有UDP 流量也不行。

當self-hosted ipsec-vpn 和地端連結建立後,此時從地端無法ping 通雲端,也無法開始傳輸,但tunnel 已經建立,看狀態都是正常,

當從雲端的EC2 對地端發送一個ping 包之後,流量才開始傳輸,也就是說,首發流量必須由EC2 發起。

問題是否真的由security group 引起我沒有確認,因為我沒有什麼頭緒,但首發流量由EC2發起就能解決,看起來就是security group 的問題。解決這個問題倒是簡單,ping 一下。

在VPC 內使用VPN 服務建立的ipsec tunnel 則沒有這個問題,當然,由於那是managed service,我們不能明確AWS 到底在裡面搞了什麼,說不定他也是在底層的EC2 上ping 了一下。

所以問了AI,寫個定時ping 的script

sudo vi /usr/local/bin/multi-ping.sh

#!/bin/bash

# List of hosts to ping
HOSTS=(
    "10.1.1.2"
    "10.1.2.2"
    "10.1.3.3"
)

# Ping interval in seconds
INTERVAL=60

while true; do
    for host in "${HOSTS[@]}"; do
        timestamp=$(date '+%Y-%m-%d %H:%M:%S')
        ping -c 1 $host | while read pong; do
            echo "[$timestamp] $host - $pong" >> /tmp/multi-ping.log
        done
    done
    sleep $INTERVAL
done

然後創建一個service

sudo vi /etc/systemd/system/multi-ping.service

[Unit]
Description=Multiple Host Ping Service
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/multi-ping.sh
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target

啟動他

sudo systemctl daemon-reload
sudo systemctl enable multi-ping
sudo systemctl start multi-ping

看一下log

[2025-04-03 00:44:25] 10.1.1.2 - 64 bytes from 10.1.1.2: icmp_seq=1 ttl=63 time=48.9 ms
[2025-04-03 00:44:25] 10.1.1.2 - 
[2025-04-03 00:44:25] 10.1.1.2 - --- 10.1.1.2 ping statistics ---
[2025-04-03 00:44:25] 10.1.1.2 - 1 packets transmitted, 1 received, 0% packet loss, time 0ms
[2025-04-03 00:44:25] 10.1.1.2 - rtt min/avg/max/mdev = 48.931/48.931/48.931/0.000 ms
[2025-04-03 00:44:25] 10.1.3.3 - PING 10.1.3.3 (10.1.3.3) 56(84) bytes of data.
[2025-04-03 00:44:25] 10.1.3.3 - 64 bytes from 10.1.3.3: icmp_seq=1 ttl=63 time=301 ms
[2025-04-03 00:44:25] 10.1.3.3 - 
[2025-04-03 00:44:25] 10.1.3.3 - --- 10.1.3.3 ping statistics ---
[2025-04-03 00:44:25] 10.1.3.3 - 1 packets transmitted, 1 received, 0% packet loss, time 0ms
[2025-04-03 00:44:25] 10.1.3.3 - rtt min/avg/max/mdev = 301.351/301.351/301.351/0.000 ms