Netfilter/Ebtables/Iptables本地和转发流量的路径

Netfilter框架:

技术分享


测试环境:

技术分享


准备netfilter 环境:测试STA—>AP的流量

 

firewall-rules stop

 

iptables -t mangle -A PREROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_PRER_131_ICMP: "

iptables -t nat -A PREROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_PRER_131_ICMP: "

iptables -t mangle -A POSTROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_POSTR_131_ICMP: "

iptables -t nat -A POSTROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_POSTR_131_ICMP: "

iptables -t filter -A INPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_INPUT_131_ICMP: "

iptables -t filter -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_OUTPUT_131_ICMP: "

iptables -t filter -A FORWARD -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_FORWARD_131_ICMP: "

iptables -t nat -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_OUTPUT_131_ICMP: "

iptables -t mangle -A INPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_INPUT_131_ICMP: "

iptables -t mangle -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_OUTPUT_131_ICMP: "

iptables -t mangle -A FORWARD -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_FORWARD_131_ICMP: "

 

iptables -t mangle -I PREROUTING -m mark --mark 0x5a -j LOG --log-prefix="IPT_MANGLE_PRER_EBT_INPUTMARK"

 

ebtables -t broute -I BROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_BROUTING_131_ICMP: "

ebtables -t nat -I PREROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_PREROUTING_131_ICMP: "

ebtables -t nat -I POSTROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_POSTROUTING_131_ICMP: "

ebtables -t nat -I OUTPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "

 

ebtables -I FORWARD -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_FORWARD_131_ICMP: "

ebtables -I INPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_INPUT_131_ICMP: "

ebtables -I OUTPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "

 

ebtables -I INPUT -p IPv4 --ip-src 192.168.1.131 --ip-proto icmp --log-level info --log-prefix "" -j mark --mark-set 0x5a --mark-target CONTINUE

 

 

iptables -t mangle -L

iptables -t nat -L

iptables -t filter -L

 

ebtables -t broute -L

ebtables -t filter -L

ebtables -t nat -L

sysctl -w net.bridge.bridge-nf-call-iptables=0

ping 192.168.1.1

如果没有连接跟踪表记录该流时,log如下:

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_FORWARD_131_ICMP:  IN=ath0.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

 

如果连接跟踪表记录该流时,log如下: 相同

EBT_BROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_FORWARD_131_ICMP:  IN=ath1.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

符合Netfilter流程图(不执行Netfilter路径上iptables hook点)

 

ping192.168.1.130

如果没有连接跟踪表记录该流时,log如下:多了IPT_NAT_PRER_131_ICMP

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800

EBT_INPUT_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_EBT_INPUTMARKIN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

 

如果连接跟踪表记录该流时,log如下;

 

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

 IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800

EBT_INPUT_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_EBT_INPUTMARKIN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

不符合Netfilter流程图

 

sysctl -w net.bridge.bridge-nf-call-iptables=1

 

ping192.168.1.1

如果连接跟踪表记录该流时,log如下;

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528

EBT_FORWARD_131_ICMP:  IN=ath0.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_mangle_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528

IPT_FILTER_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528

 

如果没有连接跟踪表记录该流时,log如下:(多了IPT_NAT_PRER_131_ICMPIPT_NAT_POSTR_131_ICMP

EBT_BROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

EBT_FORWARD_131_ICMP:  IN=ath1.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_mangle_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

IPT_FILTER_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

符合Netfilter流程图

 

ping 192.168.1.130

 

如果连接跟踪表记录该流时,log如下;

EBT_BROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535

EBT_INPUT_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535

 

如果没有连接跟踪表记录该流时,log如下:(多了IPT_NAT_PRER_131_ICMP

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

EBT_INPUT_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

符合Netfilter流程图

 

测试APàSTA发送的流量

 

 

 

firewall-rules stop

 

 

iptables -t mangle -A PREROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_PRER_131_ICMP: "

iptables -t nat -A PREROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_PRER_131_ICMP: "

iptables -t mangle -A POSTROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_POSTR_131_ICMP: "

iptables -t nat -A POSTROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_POSTR_131_ICMP: "

iptables -t filter -A INPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_INPUT_131_ICMP: "

iptables -t filter -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_OUTPUT_131_ICMP: "

iptables -t filter -A FORWARD -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_FORWARD_131_ICMP: "

iptables -t nat -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_OUTPUT_131_ICMP: "

iptables -t mangle -A INPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_INPUT_131_ICMP: "

iptables -t mangle -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_OUTPUT_131_ICMP: "

iptables -t mangle -A FORWARD -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_FORWARD_131_ICMP: "

 

 

 

ebtables -t broute -I BROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_BROUTING_131_ICMP: "

ebtables -t nat -I PREROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_PREROUTING_131_ICMP: "

ebtables -t nat -I POSTROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_POSTROUTING_131_ICMP: "

ebtables -t nat -I OUTPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_NAT_OUTPUT_131_ICMP: "

 

ebtables -I FORWARD -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_FORWARD_131_ICMP: "

ebtables -I INPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_INPUT_131_ICMP: "

ebtables -I OUTPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "

 

iptables -t mangle -L

iptables -t nat -L

iptables -t filter -L

 

ebtables -t broute -L

ebtables -t filter -L

ebtables -t nat -L

 

 

sysctl -w net.bridge.bridge-nf-call-iptables=0

ping 192.168.1.131

 

如果连接跟踪表记录该流时,log如下;

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

 

如果没有连接跟踪表记录该流时,log如下:没有差异

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

符合Netfilter流程图

 

sysctl -w net.bridge.bridge-nf-call-iptables=1

ping 192.168.1.131

如果连接跟踪表记录该流时,log如下;

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

 

 

如果没有连接跟踪表记录该流时,log如下:相同

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

 

符合Netfilter流程图

 




郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。