Netfilter/Ebtables/Iptables本地和转发流量的路径

Netfilter框架:

测试环境:

准备netfilter 环境:测试STA—>AP的流量


firewall-rules stop

iptables -t mangle -A PREROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_PRER_131_ICMP: "

iptables -t nat -A PREROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_PRER_131_ICMP: "

iptables -t mangle -A POSTROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_POSTR_131_ICMP: "

iptables -t nat -A POSTROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_POSTR_131_ICMP: "

iptables -t filter -A INPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_INPUT_131_ICMP: "

iptables -t filter -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_OUTPUT_131_ICMP: "

iptables -t filter -A FORWARD -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_FORWARD_131_ICMP: "

iptables -t nat -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_OUTPUT_131_ICMP: "

iptables -t mangle -A INPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_INPUT_131_ICMP: "

iptables -t mangle -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_OUTPUT_131_ICMP: "

iptables -t mangle -A FORWARD -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_FORWARD_131_ICMP: "

iptables -t mangle -I PREROUTING -m mark --mark 0x5a -j LOG --log-prefix="IPT_MANGLE_PRER_EBT_INPUTMARK"

ebtables -t broute -I BROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_BROUTING_131_ICMP: "

ebtables -t nat -I PREROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_PREROUTING_131_ICMP: "

ebtables -t nat -I POSTROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_POSTROUTING_131_ICMP: "

ebtables -t nat -I OUTPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "

ebtables -I FORWARD -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_FORWARD_131_ICMP: "

ebtables -I INPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_INPUT_131_ICMP: "

ebtables -I OUTPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "

ebtables -I INPUT -p IPv4 --ip-src 192.168.1.131 --ip-proto icmp --log-level info --log-prefix "" -j mark --mark-set 0x5a --mark-target CONTINUE

iptables -t mangle -L

iptables -t nat -L

iptables -t filter -L

ebtables -t broute -L

ebtables -t filter -L

ebtables -t nat -L

sysctl
-w net.bridge.bridge-nf-call-iptables=0

ping 192.168.1.1


如果没有连接跟踪表记录该流时,log如下:

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_FORWARD_131_ICMP:  IN=ath0.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

如果有连接跟踪表记录该流时,log如下: 相同

EBT_BROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_FORWARD_131_ICMP:  IN=ath1.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

符合Netfilter流程图(不执行Netfilter路径上iptables hook点)

ping192.168.1.130


如果没有连接跟踪表记录该流时,log如下:多了IPT_NAT_PRER_131_ICMP

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 IN=ath0.0
OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800

EBT_INPUT_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_EBT_INPUTMARKIN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538
PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131
DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538
PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538
PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

如果有连接跟踪表记录该流时,log如下;

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800

EBT_INPUT_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_EBT_INPUTMARKIN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131
DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540
PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540
PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540
PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

不符合Netfilter流程图

sysctl -w net.bridge.bridge-nf-call-iptables=1

ping192.168.1.1


如果有连接跟踪表记录该流时,log如下;

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528

EBT_FORWARD_131_ICMP:  IN=ath0.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_mangle_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP
TYPE=8 CODE=0 ID=1 SEQ=2528

IPT_FILTER_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP
TYPE=8 CODE=0 ID=1 SEQ=2528

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8
CODE=0 ID=1 SEQ=2528

如果没有连接跟踪表记录该流时,log如下:(多了IPT_NAT_PRER_131_ICMP和IPT_NAT_POSTR_131_ICMP)

EBT_BROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

EBT_FORWARD_131_ICMP:  IN=ath1.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_mangle_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

IPT_FILTER_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

符合Netfilter流程图

ping 192.168.1.130


如果有连接跟踪表记录该流时,log如下;

EBT_BROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535

EBT_INPUT_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535

如果没有连接跟踪表记录该流时,log如下:(多了IPT_NAT_PRER_131_ICMP)

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131
DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

EBT_INPUT_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00
TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

符合Netfilter流程图

测试APàSTA发送的流量


firewall-rules stop

iptables -t mangle -A PREROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_PRER_131_ICMP: "

iptables -t nat -A PREROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_PRER_131_ICMP: "

iptables -t mangle -A POSTROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_POSTR_131_ICMP: "

iptables -t nat -A POSTROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_POSTR_131_ICMP: "

iptables -t filter -A INPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_INPUT_131_ICMP: "

iptables -t filter -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_OUTPUT_131_ICMP: "

iptables -t filter -A FORWARD -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_FORWARD_131_ICMP: "

iptables -t nat -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_OUTPUT_131_ICMP: "

iptables -t mangle -A INPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_INPUT_131_ICMP: "

iptables -t mangle -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_OUTPUT_131_ICMP: "

iptables -t mangle -A FORWARD -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_FORWARD_131_ICMP: "

ebtables -t broute -I BROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_BROUTING_131_ICMP: "

ebtables -t nat -I PREROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_PREROUTING_131_ICMP: "

ebtables -t nat -I POSTROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_POSTROUTING_131_ICMP: "

ebtables -t nat -I OUTPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_NAT_OUTPUT_131_ICMP: "

ebtables -I FORWARD -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_FORWARD_131_ICMP: "

ebtables -I INPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_INPUT_131_ICMP: "

ebtables -I OUTPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "

iptables -t mangle -L

iptables -t nat -L

iptables -t filter -L

ebtables -t broute -L

ebtables -t filter -L

ebtables -t nat -L

sysctl -w net.bridge.bridge-nf-call-iptables=0

ping 192.168.1.131


如果有连接跟踪表记录该流时,log如下;

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP
tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

如果没有连接跟踪表记录该流时,log如下:没有差异

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP
tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

符合Netfilter流程图

sysctl -w net.bridge.bridge-nf-call-iptables=1

ping 192.168.1.131


如果有连接跟踪表记录该流时,log如下;

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP
tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

如果没有连接跟踪表记录该流时,log如下:相同

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP
tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

符合Netfilter流程图
时间: 2024-10-25 19:47:26

Netfilter/Ebtables/Iptables本地和转发流量的路径的相关文章

iptables nat 技术转发

NAT 一. 什么是 NAT NAT(Network Address Translation)译为网络地址转换.通常路由器在转发我们的数据包时,仅仅会将源MAC地址换成自己的MAC地址,但是NAT技术可以修改数据包的源地址.目的地址以及源端口.目的端口等信息. 二. NAT的作用 NAT技术最常见的应用就是通过修改源IP地址实现内网多主机使用一个公网地址接入互联网.NAT技术通常用于端口和流量的转发.重定向,实现如端口映射.跨网络访问.流量代理等功能. 二. iptables实现NAT转发 1.

Linux服务--iptables之nat转发和构建简单的DMZ防火墙

iptables之nat转发和构建简单的DMZ防火墙 一.NAT iptables 中的nat表: nat:Network Address Translation:NAT不仅完美地解决了IP地址不足的问题,而且还能够有效地避免来自网络外部的攻击,隐藏并保护网络内部的计算机. nat有三种实现方式:SNAT,DNAT和端口多路复用OverLoad 在了解Nat工作原理之前先了解一下私网IP和公网IP.私网IP地址是指局域网内部网络或主机的IP地址,公网地址是指在因特尔网上全球唯一的IP地址. 私有

ssh命令:隧道代理+本地端口转发+远程端口转发

0.前言 nc是一个在网络连接两端的好工具,同时也是也个临时的端口转发的好工具.(永久的端口转发用什么?用iptables) ssh也是这方面的好工具,好处是加密可靠可复用在一端操作即可,代价是要有登录帐号. 我们知道,SSH 会自动加密和解密所有 SSH 客户端与服务端之间的网络数据.但是,SSH 还同时提供了一个非常有用的功能,这就是端口转发.它能够将其他 TCP 端口的网络数据通过 SSH 链接来转发,并且自动提供了相应的加密及解密服务. 1.隧道带理 典型应用:翻越中国高墙 需要条件:一

Android网络安全:Netfilter与iptables

Android 4.4.4 1.Netfilter与iptables关系 Netfilter: http://www.netfilter.org/: Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers

iptables 设置端口转发/映射

iptables 设置端口转发/映射 服务器A有两个网卡 内网ip:192.168.1.3 外网ip:10.138.108.103 本地回环:127.0.0.1 服务器B有网卡,8001提供服务 内网ip:192.168.1.1 目的使用户通过外网10.138.108.103:8001访问内网服务器192.168.1.1:8001 如图2所示,端口转发走的是下发A路,利用nat表中prerouting做dnat,用postrouting做snat 包分析时期 操作 源IP:PORT 目的IP:P

浅析NetFilter和iptables

摘自:https://blog.csdn.net/wxywxywxy110/article/details/78621789 一:介绍NetFilter和iptables框架 如上图,分三种情况介绍数据包和钩子函数的关系: 当数据包从物理层和数据链路层传输过来,如果数据包是访问Linux主机本身.则经过PRE_ROUTING和LOCAL_IN钩子函数,到达传输层和应用层. 当数据包从物理层和数据链路层传输过来,如果数据包需要转发,则经过PRE_ROUTING.FORWARD和POST_ROUTI

iptables实现端口转发

iptables实现端口转发 Linux下iptables不仅可以用来做防火墙还可以用来做端口转发 示例: 将本机的8080端口转发至其他主机,主机IP:192.168.1.12,目标主机IP和端口:192.168.1.13:8088,规则如下 iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.13:8088 iptables -t nat -A POSTROUT

SSH 本地端口转发

有时,绑定本地端口还不够,还必须指定数据传送的目标主机,从而形成点对点的"端口转发".为了区别后文的"远程端口转发",我们把这种情况称为"本地端口转发"(Local forwarding). 假定host1是本地主机,host2是远程主机.由于种种原因,这两台主机之间无法连通.但是,另外还有一台host3,可以同时连通前面两台主机.因此,很自然的想法就是,通过host3,将host1连上host2. 我们在host1执行下面的命令: $ ssh

centos7 && centos6.5部KVM使用NAT联网并为虚拟机配置firewalld && iptables防火墙端口转发

centos7 && centos6.5 部KVM使用NAT联网并为虚拟机配置firewalld && iptables防火墙端口转发 一.准备工作: 1: 检查kvm是否支持a: grep '(vmx|svm)' /proc/cpuinfo vmx是intel cpu支持的svm是AMD cpu支持的如果flags: 里有vmx 或者svm就说明支持VT:如果没有任何的输出,说明你的cpu不支持,将无法使用KVM虚拟机. b: 确保BIOS里开启VT: Intel(R)