混沌工程工具-阿里ChaosBlade的实现说明之二

标签：61.148 ChaosBlade 混沌之二 7dgroup2 18 win nop 243.67

ChaosBlade模拟端口不通的场景。

模拟端口不通
模拟之前
(base) GaoLouMac:~ Zee$ telnet 101.201.210.163 9100
Trying 101.201.210.163...

Connected to 101.201.210.163.
Escape character is '^]'.
可以看到这个端口是通的。

模拟端口不通
[root@7dgroup2 chaosblade-0.2.0]# ./blade create network drop --local-port 9100
{"code":200,"success":true,"result":"55321ca383ef272c"}
[root@7dgroup2 chaosblade-0.2.0]#
模拟之后
可以看到端口已经连不上了。

(base) GaoLouMac:~ Zee$ telnet 101.201.210.163 9100
Trying 101.201.210.163...
telnet: connect to address 101.201.210.163: Operation timed out
telnet: Unable to connect to remote host
(base) GaoLouMac:~ Zee$
可是怎么实现的端口连不上呢？
实现代码
通过如下代码，可以看到，ChaosBlade是通过iptables命令添加drop规则来实现的禁用端口。

以下代码在dropnetwork.go中可以看到。

if localPort != "" {
channel.Run(ctx, "iptables", fmt.Sprintf(-D INPUT -p tcp --dport %s -j DROP, localPort))
channel.Run(ctx, "iptables", fmt.Sprintf(-D INPUT -p udp --dport %s -j DROP, localPort))
}
iptables配置
[root@7dgroup2 chaosblade-0.2.0]# iptables -L -n|grep 9100
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9100
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:9100
[root@7dgroup2 chaosblade-0.2.0]#
通过查询iptables记录，可以看到，ChaoBlade添加了两条记录把9100端口的tcp、udp包都drop掉。大家注意一下，这个操作只是暂时生效，iptables的文件中是没有记录的。

这种模拟效果是什么样呢？

模拟效果解析
模拟之前抓包结果
[root@7dgroup2 ~]# tcpdump -i eth0 port 9000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:40:19.162485 IP 61.148.243.67.9485 > 7dgroup2.cslistener: Flags [S], seq 4090540787, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 1187658956 ecr 0,sackOK,eol], length 0
18:40:19.162592 IP 7dgroup2.cslistener > 61.148.243.67.9485: Flags [S.], seq 3080683668, ack 4090540788, win 28960, options [mss 1460,sackOK,TS val 871980746 ecr 1187658956,nop,wscale 7], length 0
18:40:19.202395 IP 61.148.243.67.9485 > 7dgroup2.cslistener: Flags [.], ack 1, win 4120, options [nop,nop,TS val 1187658998 ecr 871980746], length 0

// 上面是连接过程
// 下面是断开过程

18:40:51.771422 IP 61.148.243.67.9485 > 7dgroup2.cslistener: Flags [P.], seq 1:7, ack 1, win 4120, options [nop,nop,TS val 1187690315 ecr 871980746], length 6
18:40:51.771534 IP 7dgroup2.cslistener > 61.148.243.67.9485: Flags [.], ack 7, win 227, options [nop,nop,TS val 872013355 ecr 1187690315], length 0
18:40:51.772024 IP 7dgroup2.cslistener > 61.148.243.67.9485: Flags [P.], seq 1:99, ack 7, win 227, options [nop,nop,TS val 872013355 ecr 1187690315], length 98
18:40:51.772062 IP 7dgroup2.cslistener > 61.148.243.67.9485: Flags [F.], seq 99, ack 7, win 227, options [nop,nop,TS val 872013355 ecr 1187690315], length 0
18:40:51.821279 IP 61.148.243.67.9485 > 7dgroup2.cslistener: Flags [.], ack 99, win 4117, options [nop,nop,TS val 1187690362 ecr 872013355], length 0
18:40:51.821336 IP 61.148.243.67.9485 > 7dgroup2.cslistener: Flags [.], ack 100, win 4117, options [nop,nop,TS val 1187690362 ecr 872013355], length 0
18:40:51.821355 IP 61.148.243.67.9485 > 7dgroup2.cslistener: Flags [F.], seq 7, ack 100, win 4117, options [nop,nop,TS val 1187690364 ecr 872013355], length 0
18:40:51.821380 IP 7dgroup2.cslistener > 61.148.243.67.9485: Flags [.], ack 8, win 227, options [nop,nop,TS val 872013404 ecr 1187690364], length 0
从上面的结果来看，没有创建iptable规则之前，通讯完全正常。

标标准准的tcp握手和挥手的过程呀。

模拟之后抓包结果
18:43:12.531311 IP 61.148.243.67.9486 > 7dgroup2.cslistener: Flags [S], seq 899103396, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 1187826295 ecr 0,sackOK,eol], length 0
18:43:13.551168 IP 61.148.243.67.9486 > 7dgroup2.cslistener: Flags [S], seq 899103396, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 1187827296 ecr 0,sackOK,eol], length 0
18:43:14.611149 IP 61.148.243.67.9486 > 7dgroup2.cslistener: Flags [S], seq 899103396, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 1187828296 ecr 0,sackOK,eol], length 0
18:43:15.582777 IP 61.148.243.67.9486 > 7dgroup2.cslistener: Flags [S], seq 899103396, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 1187829296 ecr 0,sackOK,eol], length 0
18:43:16.622832 IP 61.148.243.67.9486 > 7dgroup2.cslistener: Flags [S], seq 899103396, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 1187830296 ecr 0,sackOK,eol], length 0
18:43:17.654309 IP 61.148.243.67.9486 > 7dgroup2.cslistener: Flags [S], seq 899103396, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 1187831296 ecr 0,sackOK,eol], length 0
18:43:19.691527 IP 61.148.243.67.9486 > 7dgroup2.cslistener: Flags [S], seq 899103396, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 1187833296 ecr 0,sackOK,eol], length 0
18:43:23.741290 IP 61.148.243.67.9486 > 7dgroup2.cslistener: Flags [S], seq 899103396, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 1187837296 ecr 0,sackOK,eol], length 0
18:43:31.761123 IP 61.148.243.67.9486 > 7dgroup2.cslistener: Flags [S], seq 899103396, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 1187845296 ecr 0,sackOK,eol], length 0
18:43:48.062869 IP 61.148.243.67.9487 > 7dgroup2.cslistener: Flags [S], seq 899103396, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 1187861296 ecr 0,sackOK,eol], length 0
18:44:20.852129 IP 61.148.243.67.9705 > 7dgroup2.cslistener: Flags [S], seq 899103396, win 65535, options [m

标签：61.148,ChaosBlade,混沌,之二,7dgroup2,18,win,nop,243.67
From： https://www.cnblogs.com/wyx321/p/18609264

混沌工程工具-阿里ChaosBlade的实现说明之二

相关文章

赞助商

阅读排行